FortiSIEM CMDB Malware URLs

Malware URLs

The CMDB Malware URLs page lists URLs that are known to host malware.

The Threat Stream Malware URL group is included in your FortiSIEM deployment.

Updating System-Defined Malware URL Group

Current system defined groups are updated by its own service

Threat Stream Malware URL

FortiSandbox Malware URL Hail-A-Taxi Malware URL

You only need to set these to update automatically on a schedule.

  1. Log in to your Supervisor node.
  2. Click CMDB.
  3. Select a system defined group
  4. Click Update.
  5. Set Schedule
    1. Select Update Automatically to open the update scheduler and verify the URI of the update service.
    2. Set the schedule for how often you want the list to update from the service. c. Click OK.
    3. Click Save
  6. Set user name and password
    1. Select the link
    2. Click Edit
    3. Enter User Name and Password
    4. Set Data Format to Custom and Incremental
    5. Click Save

Manually Creating Malware URLs

  1. Create a group under Blocked URLs as described in Creating CMDB Groups and Adding Objects to Them.
  2. Select the group you created and click New.
  3. Enter information for the Blocked URL you want to add, and then click Save.

Custom Malware URL Threat Feed

This topic describes how to import Malware URL information into FortiSIEM from external threat feed websites.

Prerequisites

Threat feed websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – GUI import

Custom threat feed websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL.

If the data is in comma separated value (CSV) format, then a simple integration is possible. Note that the separator need not be a comma but could be any separator.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Threat feed websites with built in support

The following websites are supported

Threat Stream Malware URL (https://api.threatstream.com)

FortiSandbox Malware URL

Hail-A-TAXII Malware IP  (http://hailataxii.com/)

To import data from these websites, follow these steps

  1. In the CMDB > Malware URLs, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB > Malware URL
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
  3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – GUI import

This requires that the web site data has the following structure.

The file in comma separated value format (separator can be any special character such as space, tab, hash, dollar etc.)

One line has only one entry

Follow these steps.

  1. Select CMDB > Malware URLs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
  3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Set Data Format to CSV
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the URL is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – non-CSV data – programmatic import

This is the most general case where the website data format is not CSV. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

After the class has been written and fully tested for correctness, follow these steps.

  1. Select CMDB>Malware URLs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
  3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the custom Java class for this case
    4. Select Custom as the Data Format.
    5. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select CMDB>Malware URLs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
  3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose STIX-TAXII and Full
    4. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.
Malware Hashes

The CMDB Malware Hash page can be used to define a list of malware files and their hash functions. When FortiSIEM monitors a directory, it generates these directory events:

Directory Event Generated by
PH_DEV_MON_CUST_FILE_CREATE New file creation
PH_DEV_MON_CUST_FILE_SCAN Directory is scanned
PH_DEV_MON_CUST_FILE_CHANGE_CONTENT Changes in file content

When FortiSIEM scans a file and collects its hash, it uses the system rule Malware Hash Check to check the list of malware hashes, and triggers an alert if a match is found.

Adding a New Malware Hash

  1. Log in to your Supervisor node.
  2. Go to CMDB > Malware Hash.
  3. Select a group where you want to add the malware hash, or create a new one.
  4. Click New.
  5. Enter information for the malware hash.

 

 

 

 

 

 

 

 

Updating System Defined Malware Hash Group

Current system defined groups are updated by its own service

Threat Stream Malware Hash FortiSandbox Malware Hash

You only need to set these to update automatically on a schedule.

  1. Log in to your Supervisor node.
  2. Click CMDB.
  3. Select a system-defined group.
  4. Click Update.
  5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
  6. Set the schedule for how often you want the list to update from the service.
  7. Click Save.
  8. If you want to remove an IP address or set of IP addresses from the group, clear the Enable selection next to the IP address, and then click Continue to confirm.

The IP address will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it.

  1. If you want to add a malware IP address to the group, make sure the group is selected, click New, and enter information about the blocked IP address.

Manually Creating Manual Hash

  1. Create a group under Malware Hash as described in Creating CMDB Groups and Adding Objects to Them.
  2. Select the group you created and click New.
  3. Enter information for the Malware Hash you want to add, and then click Save.

Custom Malware Hash Threat Feed

This topic describes how to import Malware Hash information into FortiSIEM from external threat feed websites.

Prerequisites

Threat feed websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – programmatic import

Custom threat feed  websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Threat feed websites with built in support

The following websites are supported

ThreatStream Malware Hash (https://api.threatstream.com)

FortiSandbox Malware Hash

Hail-A-TAXII Malware IP  (http://hailataxii.com/)

To import data from these websites, follow these steps

  1. In the CMDB > Malware Hash, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
  7. Select the type of template you want to create.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB > Malware Hash
  2. Click on the “+” button on the left navigation tree to bring up the “Create New Malware Hash Group” dialog.
  3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – programmatic import

  1. Select CMDB > Malware Hash.
  2. Click on the “+” button on the left navigation tree to bring up the “Create New Malware Hash Group” dialog.
  3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the Hash is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed  websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section. After the class has been written and fully tested for correctness, follow these steps.

  1. Select CMDB>Malware Hash.
  2. Click on the “+” button on the left navigation tree to bring up the “Create New Malware Hash Group” dialog.
  3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the custom Java class for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the Low Hash is in first position, then choose 1 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select CMDB>Malware Hash.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Hash Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose STIX-TAXII and Full
    4. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new

data from the website.

  1. The imported data will show on the right pane after some time.

FortiSIEM CMDB Malware IPs

Malware IPs

The CMDB Malware IPs page lists IP addresses that are known to generate spam, host botnets, create DDoS attacks, and generally contain malware. The two default groups included in your FortiSIEM deployment, Emerging Threats and Zeus, contain IP addresses that are derived from the websites rules.emergingthreats.net and zeustracker.abuse.ch. Because malware IP addresses are constantly shifting, FortiSIEM recommends maintaining a dynamically generated list of IP addresses provided by services such as these that is updated on a regular schedule, but you can also add or remove blocked IP addresses from these system-defined groups, and create your own groups based on manual entry of IP addresses or file upload.

Updating System-Defined Malware IP Groups

System defined groups are Emerging Threats and Zeus, which are updated by their corresponding services. You can set these to update automatically on a schedule, or add or remove individual IP addresses from them.

  1. Log in to your Supervisor node.
  2. Click CMDB.
  3. Select a system-defined group.
  4. Click Update.
  5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
  6. Set the schedule for how often you want the list to update from the service.
  7. Click Save.
  8. If you want to remove an IP address or set of IP addresses from the group, clear the Enable selection next to the IP address, and then click Continue to confirm.

The IP address will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it.

  1. If you want to add a malware IP address to the group, make sure the group is selected, click New, and enter information about the blocked IP address.

Manually Creating Malware IP Addresses and Groups

  1. Create a group under Blocked IPs as described in Creating CMDB Groups and Adding Objects to Them.
  2. Select the group you created and click New.
  3. Enter information for the Blocked IP address you want to add, and then click Save.

Custom Malware IP Threat Feed

This topic describes how to import Malware IP information into FortiSIEM from external threat feed websites.

Prerequisites

Websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – programmatic import

Custom threat feed websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Websites with built in support

The following websites are supported

Emerging threat (http://rules.emergingthreats.net)

Zeus (https://zeustracker.abuse.ch)

Threat Stream Malware IP (https://api.threatstream.com)

Hail-A-TAXII Malware IP  (http://hailataxii.com/)

For Threat Stream Malware IP, the following Malware types are imported

Bot IP

Actor IP

APT Email

APT IP

Bruteforce IP

Compromised IP

Malware IP

DDoS IP

Phishing email IP

Phish URL IP

Scan IP

Spam IP

To import data from these websites, follow these steps

  1. In the CMDB > Malware IPs, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
  7. Select the type of template you want to create.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB > Malware IP
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
  3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – programmatic import

  1. Select CMDB > Malware IPs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
  3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the IP is in third position, then choose 3 in the Position
    7. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

After the class has been written and fully tested for correctness, follow these steps.

  1. Select CMDB>Malware IPs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
  3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the custom Java class for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the Low IP is in first position, then choose 1 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select CMDB>Malware IPs.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
  3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose STIX-TAXII and Full
    4. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

FortiSIEM CMDB Malware Domains

Malware Domains

The CMDB Malware Domains page lists domains that are known to generate spam, host botnets, create DDoS attacks, and generally contain malware. The three default groups included in your FortiSIEM deployment, MalwareDomainList, Zeus Domains, and SANS Domains, contain malware domains that are derived from the websites malwaredomainlist.com, zeustracker.abuse.ch, and isc.sans.edu. Because malware domains are constantly shifting, FortiSIEM recommends maintaining a dynamically generated list of IP addresses provided by services such as these that is updated on a regular schedule, but you can also add or remove blocked IP addresses from these system-defined groups, and create your own groups based on manual entry of IP addresses or file upload.

Updating System Defined Malware Domain Groups

System defined groups are MalwareDomainList, Zeus Domains, and SANS Domains, which are updated by their corresponding services. You can set these to update automatically on a schedule, or add or remove individual IP addresses from them.

Setting Schedule

  1. Log in to your Supervisor node.
  2. Click CMDB.
  3. Select a system-defined group.
  4. Click Update.
  5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
  6. Set the schedule for how often you want the list to update from the service.
  7. Click Save.

Adding/Removing entries

  1. If you want to remove a domain or set of domains from the group, clear the Enable selection next to the domain name, and then click Co ntinue to confirm.

The domain will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it.

  1. If you want to add a malware domain to the group, make sure the group is selected, click New, and enter information about the blocked IP address.

Changing to STIX/TAXII

If the system defined threat feeds are available via STIX/TAXII, then check the STIX/TAXII box.

Manually Creating Malware Domains and Groups

  1. Create a group under Blocked Domains as described in Creating CMDB Groups and Adding Objects to Them.
  2. Select the group you created and click New.
  3. Enter information for the Blocked Domain you want to add, and then click Save.

Custom Malware Domain Threat Feed

This topic describes how to import malware domain information into FortiSIEM from external threat feed websites.

Pre-requisites

Threat feed Websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – programmatic import

Custom threat feed websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Pre-requisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Threat feed Websites with built in support

The following websites are supported

Malware domain list (http://www.malwaredomainlist.com)

Zeus domains (https://zeustracker.abuse.ch)

SANS Domains (https://isc.sans.edu/feeds/)

Threat Stream Domains  (https://api.threatstream.com)

Hail-A-TAXII Domains  (http://hailataxii.com/)

For Threat Stream the following malware domain types are included

Command and Control Domain

Compromised Domain

Malware Domain

Dynamic DNS Domain

APT Domain

To import data from these websites, follow these steps

  1. In the CMDB > Malware Domains, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
  7. Select the type of template you want to create.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB>Malware Domains.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – programmatic import

  1. Select CMDB > Malware Domains.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class FortiSIEM.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the domain name is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section. After the class has been written and fully tested for correctness, follow these steps.

  1. Select CMDB>Malware Domains.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose the custom Java class for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the domain name is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select CMDB>Malware Domains.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
  4. Select the folder just created. 5. Select Update via API
  5. For Website, Click Add.
  6. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose STIX-TAXII and Full
    4. Click Save
  7. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  8. The imported data will show on the right pane after some time.

FortiSIEM CMDB Applications

Applications

Applications in the CMDB are grouped at the highest level by Infrastructure and User apps, with further sub-categorization in each of those two categories.

Adding an Application

  1. Log in to your Supervisor node.
  2. Go to CMDB > Applications.
  3. Create a new application group or select an existing one.
  4. Click New.
  5. Enter an Application Name and Process.
  6. Enter any other information for the application.
  7. Click Save.

 

FortiSIEM Managing CMDB Objects

Managing CMDB Objects

CMDB objects include discovered devices and their network relationships, as well as system objects like rules and events. You can find the full list of these objects in the Device View of the CMDB tab, and you can add objects to the database or edit ones that are already there.

Anonymity Networks and Groups

Setting Up an External Data Source for Anonymity Networks

Applications

Malware Domains

Updating System Defined Malware Domain Groups

Manually Creating Malware Domains and Groups Custom Malware Domain Threat Feed

Updating System-Defined Malware IP Groups

Manually Creating Malware IP Addresses and Groups

Custom Malware IP Threat Feed

Malware URLs

Updating System-Defined Malware URL Group

Manually Creating Malware URLs

Custom Malware URL Threat Feed

Malware Hashes

Updating System Defined Malware Hash Group

Manually Creating Manual Hash

Custom Malware Hash Threat Feed

Malware Processes

Country Groups

Creating CMDB Groups and Adding Objects to Them

Default Passwords

Creating a Watch List

System-Defined Watch Lists

Anonymity Networks and Groups

An anonymity network is used to hide one’s network identity, and is typically used by malware to hide its originating IP address. Enterprise network traffic should not be originating from or destined to Anonymity network.

When FortiSIEM discovers traffic destined to or originating from anonymity networks, it triggers these rules:

Inbound Traffic from Tor Network

Outbound Traffic to Tor Network

Inbound Traffic from Open Proxies

Outbound Traffic to Open Proxies

Adding an Anonymity Network

  1. Log into your Supervisor node.
  2. Go to CMDB > Anonymity Networks.
  3. Create a group to add the new network to if you are not adding it to an existing group.
  4. Select the group where you want to add the anonymity network.
  5. Click New.
  6. Enter IP, Port, and Country information about the anonymity network.
  7. Click the Calendar icon to enter the date you created or updated this entry.
  8. Click Save.

 

 

 

Setting Up an External Data Source for Anonymity Networks

This topic describes how to import anonymity networks information into FortiSIEM from external threat feed websites. Anonymity networks are used by malware to hide their own identity. Two prominent examples of anonymity networks are Open Proxies and TOR Nodes.

Prerequisites

Procedure

Websites with built in support

Custom websites – CSV data – one-time manual import

Custom websites – CSV data – programmatic import

New Websites – non-CSV data – programmatic import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Procedure

Websites with built in support

The following websites are supported

Threat Stream Open Proxy  (https://api.threatstream.com)

Threat Stream TOR Node  (https://api.threatstream.com)

To import data from these websites, follow these steps

  1. In the CMDB > Anonymity Network, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
  7. Select the type of template you want to create.

Custom websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB>Anonymity Network.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Anonymity Network Group
  3. Enter Group and add Description. Click OK to create the folder under Anonymity Networks.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom websites – CSV data – programmatic import

This requires that the web site data is

  1. Select CMDB > Anonymity Networks.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Anonymity Network Group
  3. Enter Group and add Description. Click OK to create the folder under Anonymity Networks.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the IP is in third position, then choose 3 in the Position
    7. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

New Websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. After the class has been written and fully tested for correctness, follw these steps.

  1. Select CMDB > Anonymity Networks.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Anonymity Network Group
  3. Enter Group and add Description. Click OK to create the folder under Anonymity Networks.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the custom Java class for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the IP address is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

 

FortiSIEM Overview of the CMDB User Interface

Overview of the CMDB User Interface

While the Summary and Widget dashboard views of your IT infrastructure provide real-time monitoring and reporting on your IT infrastructure, the CMDB view provides more in-depth detail about devices, applications, users, and other IT infrastructure components as they are listed in the CMDB, as well as the ability to manage these objects.

Tab Overview

Inventory Management and Edit Details Controls

User Interface Controls for Device View

Data Collection Status

Tab Overview

This screenshot shows the Device view of the CMDB tab with Devices selected in the Device View of the IT infrastructure hierarchy. For any type of object you select in the hierarchy, the CMDB will load a Summary view of the objects in the top pane, and Details for any individual object you select from the summary in the bottom pane. While the available details will change depending on the type of object you select, all objects in the CMDB view will have Inventory Management controls in the summary pane, and an Edit Details control in the Details pane.

Inventory Management and Edit Details Controls
UI

Control

Description
New Add a new object to the CMDB

Manually Adding Devices to the CMDB

In most cases you will want to add devices to the CMDB through the device discovery process, but there are some situations in which you may want to add them manually, as described in Adding Devices to the CMDB Outside of Discovery and Adding a Synthetic Monitoring Test to a Business Service.

Delete Delete a selected object from the CMDB
Edit Edit details about the selected object. You can also use the Edit Details button in the Details pane for the same purpose. You can also set device-specific properties to use in defining per-device thresholds.
User Interface Controls for Device View

The view of devices in the CMDB provides you with a number of ways to access information about a device. Some of the device user interface controls in the CMDB view you can also find in the dashboard summary view of devices, such as the Analysis menu and the Quick Info view of a device.

UI Control Description
Views Inventory

A summary of all devices of that type in the CMDB

Topo

Shows all devices of the selected type in a topology view

Performance

Shows a Performance Summary dashboard for all devices of that type

IP

Management

Hover your mouse cursor over the IP address associated with a device to open the IP Management menu

Quick Info

Loads the Quick Info for the device, which you can also see by selecting Quick Info in the Analysis menu Topology

Shows the device’s location in the network topology, which you can also see by clicking the Topology button in the device

Details pane

Show Real-Time events on this IP

Loads a Real Time Search with the selected IP address in the search criteria

Show Events on this IP for the Past 5 Minutes

Loads and Historial search with the selected IP address in the search criteria and the Time filter set to Last 5 Mins

Add to WatchList

Add that IP address to a WatchList

More Location

Displays any location information associated with the device

Change Org

For multi-tenant deployments, change the organization associated with the device Impacted Org

Shows organizations that device is associated with

Maintenance

Displays the maintenance schedule for the device

Export General Info

Exports a summary view of selected devices, or a detailed view of information for a specific device, in PDF or CSV format

Approve Approve any newly-discovered devices
Analysis The Analysis menu contains a number of options for component analytics, depending on the component selected. See Using the Analysis Menu for more information. You can also access the Analysis menu for a component by hovering your mouse over the component’s Device IP menu until the blue Quick Info icon appears, and then clicking the icon.
Quick Info The Quick Info view of a device, which you can also access through the Analysis menu or hovering your mouse cursor over the Device IP column, displays General and Health information for the device, and when appropriate, Identity and Location information. It also contains links to additional information about the device:

Incidents

An exportable summary of incidents associated with the device

Health

Availability, Performance, and Security health information for the device. You can also access this information by clicking the Device Health user interface control, or by selecting Device Health in the Analysis menu.

BizService

Any business services impacted by the device. You can also access this information by selecting Impacted Business Services in the Analysis menu.

Applications

Displays a report on the top 10 applications associated with the device by Average CPU Utilization over the past hour Vulnerability and IP Status (Not used in the Dashboard view)

Displays the vulnerability status reports that are also available by selecting Vulnerability and IPS Status in the Analysis menu

Hardware Health (Used only for the CMDB/Storage view)

Displays health information for the hardware being used for storage

Interfaces

Displays a report on the top 10 interfaces associated with the device by average throughput Topology

Shows the device’s location in the network topology. You can also access this information by selecting Topology in the A nalysis menu.

The Quick Info view also contains two links, Goto Config Item, which links to the device entry in the CMDB, and Goto Identity , which links to Analytics > Identity and Location Report, where you can edit this information for the device.

Device Info Each tab contains information about a specific aspect of the device, as well as an Edit button to change information:

Summary

General organizational and operational information about the device

Health

Availability, Performance, and Security health reports for the device. You can also access this information by selecting a device in the Summary dashboard, and then click Health, or by going to Quick Info > Health after selecting the device. If any Incidents are displayed, click the number to view the Incident Summary. Depending on the reported metric, you can zoom in for a closer look at graphs and reports by clicking the Magnifying Glass icon that appears when you hover your mouse cursor over them. Monitor

Shows Event Receive Status and Performance Monitor Status – when data was last collected and status

Contact

Contact information for the device

Interfaces

Interfaces connected to the device

Software

Software running on the device. Categories include Installed Software, Running Applications, Windows Services, and Installed Patches. In the Installed Software category you can use the Diff… button to compare different versions of software you’ve installed.

Hardware

Information about the hardware associated with the device. Categories include Processors, Storage, SAN Storage, Syst em BIOS, Components, SAN Ports, RAID Groups, LUNs, and Storage Groups.

Configuration

Configuration files associated with the device. You can compare configuration files by selecting two or more, and then clicking Diff…

Relationships

Other devices that this device interacts with

Topology Shows the selected device in the Topology view
Edit Details Click to edit the Summary, Contact Info, Interfaces, and Properties for the device

 

Data Collection Status

Real time data collection status is shown for each device

Performance Monitor Status

Normal – if every performance monitor job status for this device is Normal

Warning – if at least one performance monitor job status for this device is Warning and none is critical Critical – if at least one performance monitor job status for this device is Critical

Event Receive Status

Normal – if the event receive status of every protocol for this device is Normal

Warning – if the event receive status of at least one protocol for this device is Warning and none is critical Critical – if the event receive status of at least one protocol for this device is Critical

Performance Monitor Job Status is computed as follows. Two global constants are defined in Admin > Device Support > Custom Properties.

  1. Performance Monitoring Time Gap Warning Threshold – multiples of polling interval (default 3)
  2. Performance Monitoring Time Gap Critical Threshold – multiples of polling interval (default 5)

Event Receive Job Status is computed as follows. Two global constants are defined in Admin > Device Support > Custom Properties.

  1. Event Receive Time Gap Warning Threshold in minutes (default 10)
  2. Event Receive Time Gap Critical Threshold in minutes (default 20)

These constants can also be specified at a per device level from CMDB > Device > Bottom pane Edit > Properties. Write new values for these thresholds in the edit box and click Save.

Metric Status Condition
Performance Monitor Job

Status

Normal Performance Monitoring Time Gap LESS THAN Performance Monitoring Time Gap Warning Thresh old
Performance Monitor Job

Status

Warning Performance Monitoring Time Gap GREATER THAN Performance Monitoring Time Gap Warning T hreshold BUT

LESS THAN Performance Monitoring Time Gap Critical Threshold

Performance Monitor Job

Status

Critical Performance Monitoring Gap GREATER THAN Performance Monitoring Time Gap Critical Threshol d
Event Receive Job Status Normal Event Receive Time Gap LESS THAN Event Receive Time Gap Warning Threshold
Event Receive Job Status Warning Event Receive Time Gap GREATER THAN Event Receive Time Gap Warning Threshold BUT

LESS THAN Event Receive Time Gap Critical Threshold

Event Receive Job Status Critical Event Receive Time Gap GREATER THAN Event Receive Time Gap Critical Threshold

The following table shows how the various job types are classified into Performance Monitor or Event Received types

Job Type Classification in CMDB > Device >

Monitor

Jobs defined in Admin > Setup wizard > Monitor Change/performance Performance Monitor
Jobs defined in Admin > Setup wizard > Pull Events (e.g. Event Receive
Protocols via which data is pushed to us – syslog, SNMP Trap, Netflow, SFlow, Windows Agents etc Event Receive

 

The following rules trigger when certain data collection exceptions happen.

Rule When does it trigger? When does it clear?
Missing specific performance metric from a device Triggers when Performance Monitor is Critical for one job for a monitored device Clears when Performance Monitor is

Normal for that job from that device

No performance metrics from a device Triggers when Performance Monitor is Critical for ALL jobs for a monitored device Clears when Performance Monitor is

Normal for all jobs from that device

FortiSIEM Performance

Monitoring Relay Not Working –

All Devices delayed

Triggers when Performance Monitor is Critical for all devices

monitored by a Worker/Collector (that is acting as a Performance Monitoring Relay)

Clears when Performance Monitor is

Normal for all devices from that

Worker/Collector

No logs from a device Triggers when Event Receive Job Status is Critical for one devi ce Clears when Event Receive Job

Status is Normal for that device

FortiSIEM Log Relay Not

Working – All Devices delayed

Triggers when Event Receive Job Status is Critical for all devic es to a specific Worker/collector (that is acting as a Log Relay) Clears when Event Receive Job

Status is Normal for all devices from that Worker/Collector

 

 

 

FortiSIEM Categorization of Devices and Applications

Categorization of Devices and Applications

FortiSIEM uses four methods to identify and categorize devices and applications in the CMDB.

From Discovery – Network Devices

When FortiSIEM discovers a device, it looks for keywords in the SNMP sysDescr attribute and also probes for the SNMP sysObjectID attribut e. Internal tables are then used to map a discovered device to one or more CMDB device groups based on these attributes.

Keywords from the sysDescr attribute are matched against the system table Device Vendor and Model

Keywords from the sysObjectID attribute are matched against the system table Device Vendor and Model

Matches from the Device Vendor and Model table are then matched against the ApprovedDeviceVendor.csv table that is used to create the categories in the CMDB Devices/Applications.

From Discovery – Applications

FortiSIEM discovers applications by discovering the processes that are running on a server. The table AppMapping.csv maps process names to Applications, Application Groups, and application folders in the CMDB.

From Logs

FortiSIEM includes a large number of log parsers, each of of which is associated with a Device Vendor/Model and Application Vendor/Model. When the log is parsed by FortiSIEM, the Device/Application/Vendor information is matched against the table ApprovedDeviceVendor.csv, which then assigns the application or device to the appropriate CMDB Device/Application folder.

Special Cases

There are some special cases that cannot be categorized using discovery or log information. An example is Microsoft Active Directory. It is an application, but there is no explicit process for i.t as it is part of the kernel or big system service. In this case, specific logs are used: Windows Security logs 672, 673 to detect Microsoft Domain Controller 2000, 2003, and  Windows Security logs 4768, 4769 to detect Microsoft Windows Domain Controller 2008, 2012.

Examples

Categorizing a Cisco IOS Router/Switch

This is an example of categorizing a device using discovery. In this case, the Cisco IOS substring in the SNMP sysDescr attribute is used to detect a Cisco IOS device,

Then this entry in ApprovedDeviceVendor.csv maps the Device Vendor/Model Cisco IOS to the Router/Switch category in the CMDB. PH_ SYS_DEVICE_ROUTER_SWITCH is the internal ID of the category.

Categorizing Fortinet Firewalls

This is also an example of categorizing a device by discovery. In this case, the SNMPv2-SMI::enterprises.12356 substring in the SNMP sy sObjectId attribute is used to detect a Fortinet Firewall device.

Then this entry in the ApprovedDeviceVendor.csv table maps the Device Vendor/Model Fortinet FortiOS to the Firewall and Network IOS categories in the CMDB, since Fortinet is a UTM device. PH_SYS_DEVICE_FIREWALL and PH_SYS_DEVICE_NETWORK_IPS are the internal IDs of the categories.

Categorizing Microsoft IIS

This is an example of categorizing an application based on a running process. In this case, SNMP discovers a process svchost.exe with the

This entry in the AppMapping.csv table is then used to map the process name svchost.exe with the path name -k iissvcs to a Microsoft IIS application.

Categorizing Cisco ASA

This is an example of categorizing a device based on logs. The Cisco ASA parser has has a Device Vendor/Model associated with it, and when a log from the Cisco ASA device is parsed by FortiSIEM, this entry in ApprovedDeviceVendor.csv maps the Device Vendor/Model Cisco ASA to the Firewall and VPN Gateway categories in the CMDB. PH_SYS_DEVICE_FIREWALL and PH_SYS_DEVICE_VPN_GATEWAY are the internal IDs of these categories.

Categorizing Microsoft IIS

This is an example of categorizing an application based on logs. The Microsoft IIS (via Snare) parser has a Device Vendor/Model associated with it, and when a log from Microsoft IIS is processed by FortiSIEM, this entry in ApprovedDeviceVendor.csv maps the Device Vendor/Model Mi crosoft to the Windows Server and Web Server categories in the CMDB. PH_SYS_DEVICE_WINDOWS_SERVER and PH_SYS_APP_WEB_SER

VER are the internal IDs of these categories.

the following entry in

FortiSIEM Working with the Configuration Management Database (CMDB)

Working with the Configuration Management Database (CMDB)

The Configuration Management Database (CMDB) contains:

Discovered information about your IT infrastructure such as devices, networks, applications, and users

Information derived from your discovered infrastructure, including network topology and inter-device relationships such as the relationship of WLAN Access Points to Controller, and Virtual Machines to ESX Hosts.

Information about system objects such as rules, reports, business services, event types, networks, and ports/protocols

You can find and manage all this information under the CMDB tab.

CMDB Categorization of Devices and Applications

Overview of the CMDB User Interface

Managing CMDB Objects

Anonymity Networks and Groups

Setting Up an External Data Source for Anonymity Networks

Applications

Malware Domains

Updating System Defined Malware Domain Groups

Manually Creating Malware Domains and Groups Custom Malware Domain Threat Feed

Updating System-Defined Malware IP Groups

Manually Creating Malware IP Addresses and Groups

Custom Malware IP Threat Feed

Malware URLs

Updating System-Defined Malware URL Group

Manually Creating Malware URLs

Custom Malware URL Threat Feed

Malware Hashes

Updating System Defined Malware Hash Group

Manually Creating Manual Hash

Custom Malware Hash Threat Feed

Malware Processes

Country Groups

Creating CMDB Groups and Adding Objects to Them

Default Passwords

Creating a Watch List

System-Defined Watch Lists

Reporting on CMDB Objects

CMDB Report Types

Running, Saving, and Exporting a CMDB Report

Creating and Modifying CMDB Reports

Importing and Exporting CMDB Report Definitions

 

CMDB Categorization of Devices and Applications

Categorization of Devices and Applications

From Discovery – Network Devices

From Discovery – Applications

From Logs

Special Cases

Categorizing a Cisco IOS Router/Switch

Categorizing Fortinet Firewalls

Categorizing Microsoft IIS

Categorizing Cisco ASA

Categorizing Microsoft IIS