Importing Malware Domains

You can import Malware Domain information into FortiSIEM from external threat feed websites.

• Custom Threat Feed Websites - CSV Data - One-time Manual Import
• Custom Threat Feed Websites - CSV Data - Programmatic Import via Java
• Custom Threat Feed Websites - Programmatic Import via Python
• Working with Custom Threat Feeds that use HTTPS Connectivity

Custom Threat Feed Websites - CSV Data - One-time Manual Import

This requires that the data to be imported is already in a file in comma-separated value (CSV) format.

Requirements for Importing

1. The CSV file columns must be in the following order:

   Name, IP Address, Reverse Lookup, Malware  Type, Confidence, Severity, ASN, Origin, Country, Description, Date Found (MM/DD/YYYY), Last Seen(MM/DD/YYYY)

   If the fields are not in this order, then the whole file will not be imported.
   
2. The Name field is required and must be unique. If two or more Name fields are identical, the latter ones will not be imported.
   Example Name Field: mydomain.local
   

1. Select RESOURCES > Malware Domains.
2. Click the + button on the left navigation tree to open the Create New Malware Domain Group dialog box.
3. In the Group field, enter a Group name.
4. In the Description field, enter a description.
5. Click Save to create the folder under Malware Domains.
6. Select the folder just created.
7. Select More > Update.
8. Click Choose File.
9. Browse to the CSV file you want to import and select it.
10. Leave Data Update as Full (Completely replace all data) or Incremental (add on to existing data).
11. Click Import.

Custom Threat Feed Websites - CSV Data - Programmatic Import via Java

Requirements for Importing

1. The Web Site Data requires the following:
   1. A file in comma-separated value format (separator can be any special character such as space, tab, hash, dollar etc.).
   2. An individual entry is in one line.
2. The Name field is required and must be unique. The Malware domain import will fill this group with only unique values within the name field.
   Example Name Field: mydomain.local

Follow these steps:

1. Select RESOURCES > Malware Domains.
2. Click the + button on the left navigation tree to open the Create New Malware Domain Group dialog box.
3. In the Group field, enter a Group name.
4. In the Description field, enter a Description.
5. Click Save to create the folder under Malware Domains.
6. Select the folder just created.
7. Select More > Update.
8. From the Update Malware Domain dialog box, select Update via API.
9. Click the edit icon next to URL and provide the following information:
   1. In the URL field, enter the URL of the website.
      Note: Include the "http://" or "https://" prefix.
   2. (optional) In the User Name field, enter the username used by the API.
   3. (optional) In the Password field, enter the password related to the username.
   4. For Plugin Type, select Java.
   5. For Plugin Class, the default class com.ac-celops.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is displayed.
      Note: Do not modify this in any case.
   6. Enter the correct Field Separator (by default, it is a comma).
   7. Select CSV as the Data Format.
   8. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example, if the Domain Name is in third position, then choose 3 in the Position column.
   9. Enter the Data Update as Full (Completely replace all data) or Incremental (add on to existing data).
10. Click Save.
11. Select an import schedule by clicking + on the Schedule. Select when to start the import and how often to import to get new data from the website.
    The imported data will show on the right pane after some time.

Custom Threat Feed Websites - Programmatic Import via Python

Follow these steps:

1. Select RESOURCES > Malware Domains.
2. Click the + button on the left navigation tree to open the Create New Malware Domain Group dialog box.
3. In the Group field, enter a Group name.
4. In the Description field, enter a Description.
5. Click Save to create the folder under Malware Domains.
6. Select the folder just created.
7. Select More > Update.
8. From the Update Malware Domain dialog box, select Update via API.
9. Click the edit icon next to URL and provide the following information:
   1. In the URL field, enter the URL of the website.
      
      Note: Include the "http://" or "https://" prefix.
   2. (optional) In the User Name field, enter the username used by the API.
   3. (optional) In the Password field, enter the password related to the username.
   4. For Plugin Type, select Python.
   5. Check the SSL Verify checkbox to include a check to the authenticity and validity of an SSL certificate.
      
   6. From the Plugin Name drop-down list, select the python script to use. Python scripts located under
      /opt/phoenix/data-definition/threatfeedIntegrations/
      will be available.
      Note: For more information on creating/using a Python script, see Appendix: Python Threat Feed Framework.
      
   7. For Data Update, select Full (Completely replace all data) or Incremental (add on to existing data).
10. Click Save.
11. Select an import schedule by clicking + on the Schedule. Select when to start the import and how often to import to get new data from the website.
    
    The imported data will show on the right pane after some time.