Importing Malware IPs

You can import Malware IP information into FortiSIEM from external threat feed websites.

Prerequisites

Before proceeding, gather the following information about a threat feed web site:

  • Website URL
  • Credentials required to access the website (optional).
  • If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL.
    • If the data is in the comma-separated value format (the separator need not be a comma but could be any separator), then a simple integration is possible.
    • If the data is any other format, for example, XML, then some code must be written for integration using the framework provided by FortiSIEM.

Websites with Built-in Support

The following websites are supported:

For Threat Stream Malware IP, the following Malware types are imported:

  • Bot IP
  • Actor IP
  • APT Email
  • APT IP
  • Bruteforce IP
  • Compromised IP
  • Malware IP
  • DDoS IP
  • Phishing email IP
  • Phish URL IP
  • Scan IP
  • Spam IP

To import data from these websites, follow these steps:

  1. In the RESOURCES > Malware IPs, find the website you must import data from.  
  2. Select the folder.
  3. Click More > Update.
  4. Select Update via API. The link will show in the edit box.
  5. Enter a Schedule by clicking the + icon.
  6. Enter the schedule parameters - when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
  7. Select the type of template you want to create.

Custom Threat Feed Websites - CSV Data - One-time Manual Import

This requires that the data to be imported is already in a file in comma-separated value format.

Requirements for Importing

  1. The CSV file columns must be in the following order:
    Name, Low IP, High IP, Malware Type, Confidence, Severity, ASN, Org, Country ,Description, Date Found(MM/DD/YYYY), Last Seen(MM/DD/YYYY) 
    If the fields are not in this order, then the whole file will not be imported.
  2. Name, Low IP, and High IP are required fields. All Name fields must be unique. If High IP is not available, then the High IP field should be set to the Low IP.Example: BadMalware,1.2.3.4,1.2.3.10
  1. Select RESOURCES > Malware IPs.
  2. Click the + button on the left navigation tree to open the Create New Malware IP Group dialog box.
  3. Enter a Group name and add a Description.
  4. Click Save to create the folder under Malware IPs.
  5. Select the folder just created.
  6. Select More > Update.
  7. Click Choose File.
  8. Browse to the file you want to import and select it.
  9. Leave Data Update as Full (Completely replace) or Incremental (add on to existing data).
  10. Click Import.
    The imported data will appear in the right pane.

Custom Threat Feed Websites - CSV Data - Programmatic Import via Java

Requirements for Importing

  1. The Web Site Data requires the following:
    1. A file in comma-separated value format (separator can be any special character such as space, tab, hash, dollar etc.).
    2. An individual entry is in one line.
  2. The Low IP field is required and must be unique.
    Example: 1.2.3.4

Follow these steps:

  1. Select RESOURCES > Malware IPs.
  2. Click the + button on the left navigation tree to open the Create New Malware IP Group dialog.
  3. Enter Group and add Description. Click Save to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select More > Update > Update via API.
  6. Click the edit icon next to URL and provide the following information:
    1. Enter the URL of the website.
    2. Enter User Name and Password (optional).
    3. For Plugin Type, select Java.
    4. For Plugin Class, the default class com.accelops.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is displayed.
      Note: Do not modify this in any case.
    5. Enter the correct Field Separator (by default, it is a comma).
    6. Select CSV as the Data Format.
    7. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example, if the IP is in third position, then choose 3 in the Position column.
  7. Click Save.
  8. Select an import schedule by clicking + on the Schedule. Select when to start the import and how often to import to get new data from the website.
    The imported data will show on the right pane after some time.

Custom Threat Feed Websites - Non-CSV Data - Programmatic Import via Java

This is the most general case where the website data format does not satisfy the previous conditions. In this case, write a Java plugin class by modifying the default system provided one.

After the class has been written and fully tested for correctness, follow these steps.

  1. Select RESOURCES > Malware IPs.
  2. Click on the "+" button on the left navigation tree to bring up the Create New Malware IP Group dialog.
  3. Enter Group and add Description.
  4. Click Save to create the folder under Malware IPs.
  5. Select the folder just created.
  6. Select More > Update > Update via API.
  7. Click the edit icon and:
    1. Enter the URL of the website.
    2. Enter User Name and Password (optional).
    3. For Plugin Type, select Java.
    4. For Plugin Class, the custom Java class for this case.
    5. Select 'Custom' as the Data Format.
    6. Click Save.
  8. Select an import schedule by clicking + on the Schedule. Select when to start the import and how often to import to get new data from the website.
    The imported data will display on the right pane after some time.

Custom Threat Feed Websites - STIX Formatted Data and TAXII Import via Java

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select RESOURCES > Malware IPs.
  2. Click on the "+" button on the left navigation tree to bring up the Create New Malware IP Group dialog.
  3. Enter Group and add Description. Click Save to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select More > Update > Update via API.
  6. Click the edit icon and:
    1. Enter the URL of the website.
    2. Enter User Name and Password (optional).
    3. For Plugin Type, select Java.
    4. Select 'STIX-TAXII' as the Data Format.
    5. For Plugin Class, choose com.accelops.service.threatfeed.impl.StixMalwareIPUpdateService and Full.
    6. Click Save.
  7. Select a import schedule by clicking + on the Schedule. Select when to start the import and how often to import to get new data from the website.
    The imported data will show on the right pane after some time.

Custom Threat Feed Websites - Programmatic Import via Python

In this case, the threat feed data is available via python integration.

  1. Select RESOURCES>Malware IPs.
  2. Click on the "+" button on the left navigation tree to bring up the Create New Malware IP Group dialog.
  3. Enter Group and add Description. Click Save to create the folder under Malware IPs.
  4. Select the folder just created.
  5. Select More > Update > Update via API.
  6. Click the edit icon next to URL and provide the following information:
    1. In the URL field, enter the URL of the website.

      Note: Include the "http://" or "https://" prefix.
    2. (optional) In the User Name field, enter the username used by the API.
    3. (optional) In the Password field, enter the password related to the username.
    4. For Plugin Type, select Python.
    5. Check the SSL Verify checkbox to include a check to the authenticity and validity of an SSL certificate.
    6. From the Plugin Name drop-down list, select the python script to use. Python scripts located under

      /opt/phoenix/data-definition/threatfeedIntegrations/

      will be available.

      Note: For more information on creating/using a Python script, see Appendix: Python Threat Feed Framework.

    7. For Data Update, select Full (Completely replace all data) or Incremental (add on to existing data).
  7. Click Save.
  8. Select an import schedule by clicking + on the Schedule. Select when to start the import and how often to import to get new data from the website.

    The imported data will show on the right pane after some time.