Updating user-defined Malware Hash

System defined groups are updated by its own service:

  • Threat Stream Malware Hash
  • FortiSandbox Malware Hash

You can update the Malware Hash using the following options:

Prerequisites:

Before proceeding, gather the following information about a threat feed web site.

  • Website URL
  • Credentials required to access the website (optional)
  • If the website is not supported by FortiSIEM, you need to understand the format of the data returned by the URL.
    • If the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.)
    • If the data is any other format, for example, XML, then some code needs to be written for integration using the FortiSIEM provided framework.

Import from a CSV file

Custom websites - CSV data - one-time manual import

Instead of manually adding Malware Hashs to a group individually, you can upload a CSV file with multiple entries. This requires that the data to be imported is already in a file in comma separated value format.

Botnet Name, Algorithm, Hash Code, Controller IP, Malware Type, Confidence, Severity, Asn, Org, Country, Description, Data Found(MM/DD/YYYY), Last Seen(MM/DD/YYYY), High IP,Malware Type, Confidence, Severity, ASN, Org, Country ,Description,Data Found (MM/DD/YYYY),Last Seen(MM/DD/YYYY)

Note: Although many fields are possible, only Botnet Name and Hash Code are required.

  1. Go to RESOURCES > Malware Hash.
  2. Select the group from the left panel or create a new group by clicking the + icon above the list of RESOURCES groups.
  3. Select More > Update.
  4. Select Import from a CSV file and choose the file to import.
  5. Click Import.

Update via API

This section describes how to import Malware Hash information into FortiSIEM from external threat feed websites. Malware Hash are used by malware to hide their own identity.

Updating System Defined Malware Hash Group

The following websites are supported:

Follow the procedure below to import data from these websites:

  1. Go to Resources > Malware Hash.
  2. Select the folder and find the website you need to import data from.  
  3. Click More > Update.
  4. Select Update via API.
    The link will be displayed in the URL field or else manually enter the URL and details.
  5. Enter a Schedule by clicking the + icon.
  6. Enter the schedule parameters - Start Time and Recurrence Pattern. FortiSIEM recommends no more frequent than hourly.
  7. Click Save.
    You can use the edit icon to modify or delete icon to remove a Schedule.

Custom threat feed websites - CSV data - programmatic import

This requires that the web site data is:

  • a file in comma separated value format (separator can be any special character such as space, tab, hash, dollar etc.)
  • one entry is in a single line.

Note: Although many fields are possible, only the IP is required.

  1. Go to RESOURCES> Malware Hash.
  2. Select the folder or click + to add a new group under Malware Hash folder.
  3. Click More > Update.
  4. Select Update via API. The link will be displayed in the URL field or else manually enter the URL and details.
  5. Click the edit icon near URL.
  6. Enter the following information:
    1. Enter the URL of the website.
    2. Enter User Name and Password (optional)
    3. For Plugin Class, the default class 'com.accelops.service.threatfeed.impl.ThreatFeedWithMappingPolicyService' is shown. Do not modify this in any case.
    4. Enter the correct Field Separator (by default it is a comma).
    5. Select CSV as the Data Format.
    6. Select Data Update as Full.
    7. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example, if the IP is in third position, choose 3 in the Position column. Click + if you need to add more rows.
    8. Click Save
  7. Select an import schedule by clicking + on the Schedule. Select when to start the import and how often to import to get new data from the website.
    The imported data will show on the right pane after some time.

Custom threat feed websites - non-CSV data - programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, write a Java plug-in class by modifying the default system provided one.

  1. Go to RESOURCES> Malware Hash.
  2. Select the folder or click + to add a new group under Malware Hash folder.
  3. Click More > Update.
  4. Select Update via API.
  5. Click the edit icon near URL.
  6. Enter the following information:
    1. Enter the URL of the website.
    2. Enter User Name and Password (optional)
    3. For Plugin Class, the custom Java class in this case.
    4. Select Custom or STIX-TAXII as the Data Format.
    5. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example, if the IP is in third position, choose 3 in the Position column. Click + if you need to add more rows.
    6. Click Save.
  7. Select an import schedule by clicking + on the Schedule. Select when to start the import and how often to import to get new data from the website.
    The imported data will show on the table after some time.

Custom threat feed websites - non-CSV data -STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Go to RESOURCES> Malware Hash.
  2. Select the folder or click + to add a new group under Malware Hash folder.
  3. Click More > Update.
  4. Select Update via API.
  5. Click the edit icon near URL.
  6. Enter the following information:
    1. Enter the URL of the website.
    2. Enter User Name and Password (optional)
    3. For Plugin Class, the custom Java class in this case.
    4. Select STIX-TAXII as the Data Format.
    5. Select Data Update as Full.
    6. Click Save.
  7. Select an import schedule by clicking + on the Schedule. Select when to start the import and how often to import to get new data from the website.
    The imported data will show on the table after some time.