Working with Malware Patrol

The following section describes how to configure Malware Patrol with FortiSIEM for Malware Domains, Malware IPs, Malware Hashes, and Malware URLs. Additional information is available on the Malware Patrol website https://www.malwarepatrol.net/tech-support/.

• Configuring Malware Patrol Malware Domains
• Configuring Malware Patrol Malware IPs
• Configuring Malware Patrol Malware Hashes
• Configuring Malware Patrol Malware URLs

Configuring Malware Patrol Malware Domains

To configure Malware Patrol Malware Domains, take the following steps.

1. Login to FortiSIEM GUI.
2. Navigate to RESOURCES > Malware Domains.
   
3. In the left pane, click the + icon and create a group named “Malware Patrol”.
4. Select the Malware Patrol folder you just created.
5. Click More > Update. In the Update Malware dialog box, select Update via API.
6. In the URL row, click the Edit icon.
7. In the URL field, enter the URL of the threat feed as provided via the Malware Patrol portal.
8. In the Username field, enter your Malware Patrol username.
9. In the Password field, enter the password associated with your Malware Patrol username.
10. In the Plugin Class field, enter:
    com.accelops.service.threatfeed.impl.ThreatFeedWithMappingPolicyService
11. For Field Separator, enter a comma, by inputting the "," character.
12. For Data Format, select CSV.
    Note: Currently, only CSV is supported.
13. Select a Data Update process. Selecting Full means FortiSIEM will download all data. If Incremental is selected, FortiSIEM will download from the latest recorded update date.
14. For Data Mapping, add your Mapped fields. The following is an example.
    
    • Domain Name, set to Position 1.
    • Malware Type, set to Position 2.
    • Description, set to Position 3.
    • Date Found, set to Position 4.
    • Last Seen, set to Position 5.
15. Click Save.
16. Schedule the download. See Specifying a Schedule.
17. Check the folder 5 minutes after the scheduled time. Downloaded results should be displayed.

Configuring Malware Patrol Malware IPs

To configure Malware Patrol Malware IPs, take the following steps.

1. Login to FortiSIEM GUI.
2. Navigate to RESOURCES > Malware IPs.
   
3. In the left pane, click the + icon and create a group name “Malware Patrol”.
4. Click Save.
5. Select the Malware Patrol folder you just created.
6. Click More > Update. In the Update Malware IP dialog box, select Update via API.
7. In the URL row, click the Edit icon.
8. In the URL field, enter the URL of the threat feed as provided via the Malware Patrol portal.
9. In the Username field, enter your Malware Patrol username.
10. In the Password field, enter the password associated with your Malware Patrol username.
11. In the Plugin Class field, enter:
    com.accelops.service.threatfeed.impl.ThreatFeedWithMappingPolicyService
12. For Field Separator, enter a comma, by inputting the "," character.
13. For Data Format, select CSV.
    Note: Currently, only CSV is supported.
14. Select a Data Update process. Selecting Full means FortiSIEM will download all data. If Incremental is selected, FortiSIEM will download from the latest recorded update date.
15. For Data Mapping, add your Mapped fields. The following is an example.
    
    • Name, set to Position 1.
    • Low IP , set to Position 2.
    • High IP, set to Position 3.
    • Malware Type, set to Position 4.
    • Description, set to Position 5.
    • Date Found, set to Position 6.
    • Last Seen, set to Position 7.
16. Click Save.
17. Schedule the download. See Specifying a Schedule.
18. Check the folder 5 minutes after the scheduled time. Downloaded results should be displayed.

Configuring Malware Patrol Malware Hashes

To configure Malware Patrol Malware Hashes, take the following steps.

1. Login to FortiSIEM GUI.
2. Navigate to RESOURCES > Malware Hash.
   
3. In the left pane, click the + icon and create a group name “Malware Patrol”.
4. Click Save.
5. Select the Malware Patrol folder you just created.
6. Click More > Update. In the Update Malware Hash dialog box, select Update via API.
7. In the URL row, click the Edit icon.
8. In the URL field, enter the URL of the threat feed as provided via the Malware Patrol portal.
9. In the Username field, enter your Malware Patrol username.
10. In the Password field, enter the password associated with your Malware Patrol username.
11. In the Plugin Class field, enter:
    com.accelops.service.threatfeed.impl.ThreatFeedWithMappingPolicyService
12. For Field Separator, enter a comma, by inputting the "," character.
13. For Data Format, select CSV.
    
    Note: Currently, only CSV is supported.
14. Select a Data Update process. Selecting Full means FortiSIEM will download all data. If Incremental is selected, FortiSIEM will download from the latest recorded update date.
15. For Data Mapping, add your Mapped fields. The following is an example.
    
    • Description, set to Position 1.
    • Algorithm, set to Position 2.
    • HashCode, set to Position 3.
    • Malware Type, set to Position 4.
    • Date Found, set to Position 5.
    • Last Seen, set to Position 6.
16. Click Save.
17. Schedule the download. See Specifying a Schedule.
18. Check the folder 5 minutes after the scheduled time. Downloaded results should be displayed.

Configuring Malware Patrol Malware URLs

To configure Malware Patrol Malware URLs, take the following steps.

1. Login to FortiSIEM GUI.
2. Navigate to RESOURCES > Malware URLs.
   
3. In the left pane, click the + icon and create a group name “Malware Patrol”.
4. Click Save.
5. Select the Malware Patrol folder you just created.
6. Click More > Update. In the Update Malware Url dialog box, select Update via API.
7. In the URL row, click the Edit icon.
8. In the URL field, enter the URL of the threat feed as provided via the Malware Patrol portal.
9. In the Username field, enter your Malware Patrol username.
10. In the Password field, enter the password associated with your Malware Patrol username.
11. In the Plugin Class field, enter:
    com.accelops.service.threatfeed.impl.ThreatFeedWithMappingPolicyService
12. For Field Separator, enter a comma, by inputting the "," character.
13. For Data Format, select CSV.
    
    Note: Currently, only CSV is supported.
14. Select a Data Update process. Selecting Full means FortiSIEM will download all data. If Incremental is selected, FortiSIEM will download from the latest recorded update date.
15. For Data Mapping, add your Mapped fields. The following is an example.
    
    • URL, set to Position 1.
    • Malware Type, set to Position 2.
    • Last Seen, set to Position 3.
16. Click Save.
17. Schedule the download. See Specifying a Schedule.
18. Check the folder 5 minutes after the scheduled time. Downloaded results should be displayed.