Working with ThreatConnect IOCs

ThreatConnect can provide malware IPs, domains, hashes, or URLs which FortiSIEM can use to match in log data The steps are as follows: for each IOC (IP, domain, hash, URL).

  1. Discover Collections
  2. Create Collection Policy
  3. Schedule IOC Download

Since an Organization may subscribe to many Collections (an intelligence source), downloading every IOC for all Collections may result in too much data. Therefore, specifying a Collection Policy is essential.

Download ThreatConnect Malware Domains

  1. Go to RESOURCES > Malware Domains and select the ThreatConnect Malware Domain folder.
  2. Click More > Update. In the Update Malware dialog box, then select Update via API.
  3. Use your ThreatConnect credentials to complete the URL, User name, and Password fields.
  4. Plugin Class is provided by default.
  5. Select a Data Format. In this release, only STIX-TAXII is supported.
  6. Enter an Organization name that is defined in your ThreatConnect account.
  7. Define a Collection.
  8. Click Discover Collections to expose all of the collections you are eligible to use.
  9. Select a collection policy in the table and click Edit.
  10. Edit any of the following values in the Edit Collection Policy dialog box:
    • Enabled: select whether the collection policy is enabled
    • Collection: edit the collection name
    • Tag: enter an optional user-defined tag for the collection
    • Max False Positive Count: enter a number where the frequency of an attack produces a false positive on your network.
    • Min Rating: enter a value between 0 and 5.
    • Confidence: enter a value between 1 and 100.
  11. Click Save.
  12. Schedule the download. See Specifying a Schedule.
  13. Check the folder 5 minutes after the scheduled time. Downloaded results should be displayed – organized by each collection.

Note that FortiSIEM does not provide system rules and reports because ThreatConnect folders are dynamic. The user must create them using the Collection folders.

Download Other ThreatConnect IOCs

For ThreatConnect Malware IP, go to RESOURCES > Malware IPs, select the ThreatConnect Malware IP folder, and repeat the same steps as for Malware Domains.

For ThreatConnect Malware URL, go to RESOURCES > Malware URLs, select the ThreatConnect Malware URL folder, and repeat the same steps as for Malware Domains.

For ThreatConnect Malware hash, go to RESOURCES > Malware Hash , select the ThreatConnect Malware Hash folder and repeat the same steps as for Malware Domains.

Specifying a Schedule

  1. Click the + icon next to Schedule.
  2. Enter values for the following options:
    • Time Range specifies start time (within the day) and the duration of the scheduling window. Select a UTC time and a corresponding location from the drop-down lists.
    • Recurrence Pattern specifies if and how the window will repeat.
      • If you are scheduling for one time only:
        1. Select Once for Recurrence Pattern.
        2. Select the specific date in Start From.
      • If you are scheduling for hourly:
        1. Enter the hourly interval.
        2. Select the Start From date for Recurrence Range, then either End after the number of occurrences, and End by date, or No end date to continue the recurrence forever.
      • If you are scheduling for Daily:
        1. Select the interval of days or Every weekday.
        2. Select the Start From date for Recurrence Range, then either End after the number of occurrences, and End by date, or No end date to continue the recurrence forever.
      • If you are scheduling for Weekly:
        1. Select the interval of weeks or select particular days of the week.
        2. Select the Start From date for Recurrence Range, then either End after the number of occurrences, and End by date, or No end date to continue the recurrence forever.
      • If you are scheduling for Monthly:
        1. Select the days and months from the drop-down lists.
        2. Select the Start From date for Recurrence Range, then either End after the number of occurrences, and End by date, or No end date to continue the recurrence forever.
  3. Click Save to apply the changes.