Lookups Via External Websites (e.g. VirusTotal)

Indicators of Compromise (IOC) can be transmitted via external IPs, domain names, URLs, and file hashes.

When a security incident is triggered due to a potentially malicious IOC, you may want to consult an external threat intelligence website to get more information about the IOC. If the website can confidently say that the IOC is malware, then you can take corrective action, such as blocking the IOC. On the other hand, if the website says that the IOC is safe, then you can mark the IOC as a false positive.

There are two types of external lookups:

  • Some websites accept an IOC as a parameter in the URL and the website will respond with information about the IOC. In many of these cases, the IOC information in the web page cannot be parsed programmatically, and user must manually determine whether the IOC is malware. For example, see https://www.talosintelligence.com/reputation_center/lookup?search=8.8.8.8.
  • Other websites, such as VirusTotal, RiskIQ, and FortiGuard have APIs. FortiSIEM can analyze the data from these websites and present the results in an easily understandable format for user. Note: VirusTotal supports domain, URL, and file hash lookups. RiskIQ supports IP and domain lookups. FortiGuard supports IP, domain, URL and file hash lookups.

FortiSIEM supports all three types of lookups. External Website lookups can be performed only from the Incident List View.

Prerequisites

Complete these steps before performing external lookups:

  1. External lookups that accept an IOC in the URL must be defined in ADMIN > Settings > System > Lookup. See Lookup Settings for more information.
  2. VirusTotal, RiskIQ, and FortiGuard integrations must be defined in ADMIN > Settings > General > External Integration. This involves setting credentials.

    See VirusTotal Integration, RiskIQ Integration, and FortiGuard Integration for more information.

Performing an External Lookup on VirusTotal, RiskIQ, and/or FortiGuard

Follow these steps to perform an external lookup on VirusTotal, RiskIQ, and/or FortiGuard.

  1. Go to INCIDENTS and click the List view.
  2. Select an incident from the table.
  3. Drill down on either the Source, Target, Detail or Reporting IP columns and choose External Lookup. FortiSIEM will identify IP, Domain, URL and file hash fields for lookup.
  4. Choose one of the following and click Lookup.
    1. An External website that accepts IP in the URL
    2. VirusTotal, RiskIQ, and/or FortiGuard
  5. For the first case (4a), the page opens in a different tab in the browser. 
  6. For the second case (4b), FortiSIEM collects information about the IOC from the websites using the API, makes a conclusion as to whether it is Safe/Malware/Not Sure, and presents the data in the Result tab.
  7. If a FortiGuard result is determined to possibly be malicious, you can click on Malicious to get more details as to why FortiGuard flagged the incident as malicious.

  8. Based on the information about the IOC, you can click on the Action tab and take any of the following actions.

    1. Update Comment: You can update Incident comment based on the website findings. Enter an optional comment about the incident and click Add Summary, then Apply. The comment will appear in the Incident Comment panel in the Details tab when you select the incident in the List view.
    2. Resolve Incident: You can resolve the incident. Choose Open, True Positive, False Positive, or In Progress. Click Apply, and the selection will appear in the Resolution column for that incident.
      • If you choose False Positive, you have the option of providing a reason for your choice. You also have the option to Create a False Positive in ThreatConnect. Clicking this option will respond with a message describing whether the creation was successful. This option assumes that you have created a malware configuration for ThreatConnect. You can configure IPs, domains, hash, or URLs for ThreatConnect. See Working with ThreatConnect IOCs.
    3. Create Rule Exception: If it is a false positive, then you can create a rule exception. Click the edit icon to create an exception to the rule. For more information on using the Edit Rule Exception dialog box, see Creating an exception for the rule.
    4. Set Incident Severity: You can change the incident severity. Open the drop-down list and choose Change to LOW, Change to MEDIUM, or Change to HIGH.
    5. Remediate Incident: You can remediate the Incident, e.g. block the malware domain. Click the edit icon to remediate the incident. For more information on using the Run Remediation feature, see Creating a Remediation action.
    6. Run External Integration: You can create a ticket in an external ticketing system. Click the edit icon to choose an integration policy from the drop-down list. Click OK.
  9. Click Close.