Importing Malware URLs

This section describes how to import Malware URL information into FortiSIEM from external threat feed websites.

Prerequisites

Before proceeding, gather the following information about a threat feed web site:

  • Website URL
  • Credentials required to access the website (optional)
  • If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL.
    • If the data is in comma separated value (CSV) format, then a simple integration is possible. Note that the separator need not be a comma but could be any separator.
    • If the data is any other format, for example - XML, then some code needs to be written for integration using the FortiSIEM provided framework.

Threat feed websites with built in support

The following websites are supported:

To import data from these websites, follow these steps:

  1. In the RESOURCES > Malware URLs, find the website you need to import data from.  
  2. Select the folder.
  3. Click More > Update.
  4. Select Update via API. The link will show in the edit box.
  5. Enter a Schedule by clicking the + icon.
  6. Enter the schedule parameters - when to start and how often to import. FortiSIEM recommends no more frequent than hourly.

Custom threat feed websites - CSV data - one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is:

URL, Malware Type, Confidence, Description,Last Seen(MM/DD/YYYY) 
  1. Select RESOURCES > Malware URLs.
  2. Click the + button on the left navigation tree to bring up the Create New Malware URL Group dialog.
  3. Enter Group and add Description. Click Save to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select Import from a CSV file.
  6. Click Choose File; enter the file name and click Upload.

    The imported data will show on the right pane.

Custom threat feed websites - CSV data - GUI import

This requires that the web site data has the following structure:

  • The file in comma separated value format (separator can be any special character such as space, tab, hash, dollar etc.)
  • One line has only one entry.

Follow these steps:

  1. Select RESOURCES > Malware URLs.
  2. Click the + button on the left navigation tree to open the Create New Malware URL Group dialog.
  3. Enter Group and add Description. Click Save to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select More > Update > Update via API.
  6. Click the edit icon and:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin Class, the default class com.accelops.service.threatfeed.impl.ThreatstreamMalwareUrlUpdateService is shown. Do not modify this for this case.
    4. Enter the correct Field Separator (by default it is a comma)
    5. Set Data Format to CSV.
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the URL is in third position, then choose 3 in the Position column.
    7. Click Save
  7. Select an import schedule by clicking + on the Schedule. Select when to start the import and how often to import to get new data from the website.
    The imported data will show on the right pane.

Custom threat feed websites - non-CSV data - programmatic import

This is the most general case where the website data format is not CSV. In this case, write a Java plugin class by modifying the default system provided one.

After the class has been written and fully tested for correctness, follow these steps:

  1. Select RESOURCES > Malware URLs.
  2. Click the + button on the left navigation tree to open the Create New Malware URL Group dialog.
  3. Enter Group and add Description. Click Save to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select More > Update > Update via API.
  6. Click the edit icon and:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin Class, the custom Java class in this case.
    4. Select Custom as the Data Format.
    5. Click Save.
  7. Select an import schedule by clicking + on the Schedule. Select when to start the import and how often to import to get new data from the website.
    The imported data will show on the right pane.

Custom threat feed websites - STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select RESOURCES > Malware URLs.
  2. Click the + button on the left navigation tree to bring up the Create New Malware URL Group dialog.
  3. Enter Group and add Description. Click Save to create the folder under Malware URLs.
  4. Select the folder just created.
  5. Select More > Update > Update via API.
  6. Click the edit icon and:
    1. Enter the URL of the website.
    2. Enter User Name and Password (optional).
    3. For Plugin Class, choose STIX-TAXII and Full.
    4. Select STIX-TAXII as the Data Format
    5. Click Save.
  7. Select an import schedule by clicking + on the Schedule. Select when to start the import and how often to import to get new data from the website.

    The imported data will show on the right pane.