FortiSIEM CMDB Malware Domains

Leave a reply
Malware Domains

The CMDB Malware Domains page lists domains that are known to generate spam, host botnets, create DDoS attacks, and generally contain malware. The three default groups included in your FortiSIEM deployment, MalwareDomainList, Zeus Domains, and SANS Domains, contain malware domains that are derived from the websites malwaredomainlist.com, zeustracker.abuse.ch, and isc.sans.edu. Because malware domains are constantly shifting, FortiSIEM recommends maintaining a dynamically generated list of IP addresses provided by services such as these that is updated on a regular schedule, but you can also add or remove blocked IP addresses from these system-defined groups, and create your own groups based on manual entry of IP addresses or file upload.

Updating System Defined Malware Domain Groups

System defined groups are MalwareDomainList, Zeus Domains, and SANS Domains, which are updated by their corresponding services. You can set these to update automatically on a schedule, or add or remove individual IP addresses from them.

Setting Schedule

  1. Log in to your Supervisor node.
  2. Click CMDB.
  3. Select a system-defined group.
  4. Click Update.
  5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
  6. Set the schedule for how often you want the list to update from the service.
  7. Click Save.

Adding/Removing entries

  1. If you want to remove a domain or set of domains from the group, clear the Enable selection next to the domain name, and then click Co ntinue to confirm.

The domain will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it.

  1. If you want to add a malware domain to the group, make sure the group is selected, click New, and enter information about the blocked IP address.

Changing to STIX/TAXII

If the system defined threat feeds are available via STIX/TAXII, then check the STIX/TAXII box.

Manually Creating Malware Domains and Groups

  1. Create a group under Blocked Domains as described in Creating CMDB Groups and Adding Objects to Them.
  2. Select the group you created and click New.
  3. Enter information for the Blocked Domain you want to add, and then click Save.

Custom Malware Domain Threat Feed

This topic describes how to import malware domain information into FortiSIEM from external threat feed websites.

Pre-requisites

Threat feed Websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – programmatic import

Custom threat feed websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Pre-requisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Threat feed Websites with built in support

The following websites are supported

Malware domain list (http://www.malwaredomainlist.com)

Zeus domains (https://zeustracker.abuse.ch)

SANS Domains (https://isc.sans.edu/feeds/)

Threat Stream Domains  (https://api.threatstream.com)

Hail-A-TAXII Domains  (http://hailataxii.com/)

For Threat Stream the following malware domain types are included

Command and Control Domain

Compromised Domain

Malware Domain

Dynamic DNS Domain

APT Domain

To import data from these websites, follow these steps

  1. In the CMDB > Malware Domains, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
  7. Select the type of template you want to create.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB>Malware Domains.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – programmatic import

  1. Select CMDB > Malware Domains.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class FortiSIEM.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the domain name is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section. After the class has been written and fully tested for correctness, follow these steps.

  1. Select CMDB>Malware Domains.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose the custom Java class for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the domain name is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

  1. Select CMDB>Malware Domains.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
  3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
  4. Select the folder just created. 5. Select Update via API
  5. For Website, Click Add.
  6. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, choose STIX-TAXII and Full
    4. Click Save
  7. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  8. The imported data will show on the right pane after some time.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.