FortiSIEM Configuration Guide

FortiSIEM Configuration Guide for Malware Patrol Threat Intel Feeds

Malware Patrol offers the following threat intelligence feeds formatted for integration into FortiSIEM. This allows users to combine the quality of Fortinet’s SIEM security platform with the protection from our threat intelligence. Customers can choose the feed(s) that meet their needs:

• DNS-over-HTTPS (DoH) Servers (domains)
• Malicious Domains
• Malicious Hashes
• Malicious IPs
• Malware/Ransomware URLs

We offer free evaluations of our Enterprise feeds, including those for FortiSIEM. To request your evaluation, complete our request form.

About FortiSIEM

“FortiSIEM brings together visibility, correlation, automated response, and remediation in a single, scalable solution. It reduces the complexity of managing network and security operations to effectively free resources, improve breach detection, and even prevent breaches. What’s more is that [the] architecture enables unified data collection and analytics from diverse information sources including logs, performance metrics, security alerts, and configuration changes. FortiSIEM combines the analytics traditionally monitored in separate silos of the security operations center (SOC) and network operations center (NOC) for a more holistic view of the security and availability of the business.” “FortiGuard Threat Intelligence and Indicators of Compromise (IOC) and Threat Intelligence (TI) feeds from commercial, open source, and custom data sources integrate easily into the security TI framework. This grand unification of diverse sources of data enables organizations to rapidly identify root causes of threats, and take the steps necessary to remediate and prevent them in the future. Steps can often be automated with new Threat Mitigation Libraries for many Fortinet products. External Threat Intelligence Integrations

• APIs for integrating external threat feed intelligence – Malware domains, IPs, URLs, hashes, Tor nodes
• Built-in integration for popular threat intelligence sources – ThreatStream, CyberArk, SANS, Zeus, ThreatConnect
• Technology for handling large threat feeds – incremental download and sharing within cluster, real-time pattern
  matching with network traffic. All STIX and TAXII feeds are supported”

Adding External TI – A FortiSIEM Configuration Guide

The following are instructions to configure each of our data feeds on FortiSIEM version 6.4.0 (1412) using the web interface.

DNS-over-HTTPS (DoH) Domains

Benefits of the Malware Patrol DoH Data Feed

We developed this feed to help security teams monitor the use of DoH in their environment. Our tools actively search for new DoH servers on a continuous basis to keep this data fresh. DoH allows users to bypass the DNS-level controls and internet usage policies put in place to protect your network against known threats and threat actors are taking advantage of this by using DoH for C2 server connections, for example. As such, both incoming and outgoing DoH traffic should be closely monitored for indications of malicious activity.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Domains from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Domains group.

4) Enter a group name. We will use Malware Patrol – DoH to distinguish this feed from the Malware Patrol Malicious Domains previously entered.

5) Click save. The Malware Patrol – DoH group will now appear under the Malware Domains section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the screen that pops up choose Update via API and click on the edit (pencil) button.

9) Enter the following to set up the feed update:

• URL of your Malware Patrol DoH feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

10) In the Data Mapping section, match the following:

• Domain Name, Position 1
• Description, Position 2
• Last Seen, Position 3

11) Click Save

12) Click on the Schedule: + button

13) On the screen that pops up, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process to know which fields are available in the Malware Patrol feed.

Malicious Domains

Benefits of the Malware Patrol Malicious Domains Data Feed

This Malware Patrol feed contains domains actively involved in malicious activities. The data is derived from five of our Enterprise feeds: 1) Anti-Mining, 2) Command & Control (C2) Addresses, 3) Domain Names Generated via DGAs, 4) Malware & Ransomware URLs, and 5) Phishing URLs. Network traffic associated with these domains is highly likely to be malicious.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Domains from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Domains group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware Domains section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the screen that pops up choose Update via API.

9) Click on the edit (pencil) button for the URL.

10) Enter the following to set up the feed update:

• URL of your Malware Patrol Malicious Domains feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

11) In the Data Mapping section, match the following:

• Domain Name, Position 1
• Malware Type, Position 2
• Description, Position 3
• Date Found, Position 4
• Last Seen, Position 5

12) Click Save

13) Click on the Schedule: + button

14) On the screen that pops up, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

15) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

16) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed. 

Malicious IPs

Benefits of the Malware Patrol Malicious IPs Data Feed

This feed contains IP addresses known to actively host malicious files and C2 systems for malware and ransomware. Monitoring traffic destined to them is an effective network protection measure and provides valuable information for threat hunting purposes.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware IPs from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware IPs group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware IPs section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the next screen, choose Update via API and click on the edit (pencil) button.

9) Enter the following to set up the feed update:

• URL of your Malware Patrol Malicious IPs feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

•  

10) In the Data Mapping section, match the following:

• Name, Position 1
• Low IP, Position 2
• Malware Type, Position 3
• Description, Position 4
• Date Found, Position 5
• Last Seen, Position 6

11) Click Save

12) Click on the Schedule: + button

13) On the next screen, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

Malware Hashes

Benefits of the Malware Patrol Malware Hashes Data Feed

This feed contains the SHA-1 hashes of malware and ransomware samples currently available on the internet. Encountering these signatures in your environment is a sign of malicious activity.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Hash from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Hash group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware Hash section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the next screen, choose Update via API and click on the edit (pencil) button.

9) Enter the following to set up the feed update:

• URL of your Malware Patrol Malware Hashes feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

10) In the Data Mapping section, match the following:

• Description, Position 1
• Algorithm, Position 2
• HashCode, Position 3
• Malware Type, Position 4
• Date Found, Position 5
• Last Seen, Position 6

11) Click Save

12) Click on the Schedule: + button

13) On the next screen, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

Malware URLs

Benefits of the Malware/Ransomware URLs Data Feed

This feed contains URLs known to be hosting malware binaries. It is updated hourly to remove inactive URLs and add newly detected ones. Correlating this feed with network traffic can pinpoint a potential malware infection.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware URLs from the menu on the left.

3) Click + button at the upper left-hand side of this menu to add a new Malware URLs group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware URLs section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the next screen, choose Update via API and click on the edit (pencil) button.

9) Enter the following to set up the feed update:

• URL of your Malware Patrol Malware URLs feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

10) In the Data Mapping section, match the following:

• URL, Position 1
• Malware Type, Position 2
• Last Seen, Position 3

11) Click Save

12) Click on the Schedule: + button

13) On the next screen, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

If you need any assistance with this FortiSIEM configuration guide, please email support (@) malwarepatrol.net or contact your Account Manager.