FortiSIEM Managing CMDB Objects

Leave a reply
Managing CMDB Objects

CMDB objects include discovered devices and their network relationships, as well as system objects like rules and events. You can find the full list of these objects in the Device View of the CMDB tab, and you can add objects to the database or edit ones that are already there.

Anonymity Networks and Groups

Setting Up an External Data Source for Anonymity Networks

Applications

Malware Domains

Updating System Defined Malware Domain Groups

Manually Creating Malware Domains and Groups Custom Malware Domain Threat Feed

Updating System-Defined Malware IP Groups

Manually Creating Malware IP Addresses and Groups

Custom Malware IP Threat Feed

Malware URLs

Updating System-Defined Malware URL Group

Manually Creating Malware URLs

Custom Malware URL Threat Feed

Malware Hashes

Updating System Defined Malware Hash Group

Manually Creating Manual Hash

Custom Malware Hash Threat Feed

Malware Processes

Country Groups

Creating CMDB Groups and Adding Objects to Them

Default Passwords

Creating a Watch List

System-Defined Watch Lists

Anonymity Networks and Groups

An anonymity network is used to hide one’s network identity, and is typically used by malware to hide its originating IP address. Enterprise network traffic should not be originating from or destined to Anonymity network.

When FortiSIEM discovers traffic destined to or originating from anonymity networks, it triggers these rules:

Inbound Traffic from Tor Network

Outbound Traffic to Tor Network

Inbound Traffic from Open Proxies

Outbound Traffic to Open Proxies

Adding an Anonymity Network

  1. Log into your Supervisor node.
  2. Go to CMDB > Anonymity Networks.
  3. Create a group to add the new network to if you are not adding it to an existing group.
  4. Select the group where you want to add the anonymity network.
  5. Click New.
  6. Enter IP, Port, and Country information about the anonymity network.
  7. Click the Calendar icon to enter the date you created or updated this entry.
  8. Click Save.

 

 

 

Setting Up an External Data Source for Anonymity Networks

This topic describes how to import anonymity networks information into FortiSIEM from external threat feed websites. Anonymity networks are used by malware to hide their own identity. Two prominent examples of anonymity networks are Open Proxies and TOR Nodes.

Prerequisites

Procedure

Websites with built in support

Custom websites – CSV data – one-time manual import

Custom websites – CSV data – programmatic import

New Websites – non-CSV data – programmatic import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Procedure

Websites with built in support

The following websites are supported

Threat Stream Open Proxy  (https://api.threatstream.com)

Threat Stream TOR Node  (https://api.threatstream.com)

To import data from these websites, follow these steps

  1. In the CMDB > Anonymity Network, find the website you need to import data from.
  2. Select the folder.
  3. Click Update.
  4. Select Update via API. The link should show in the edit box.
  5. Enter a schedule by clicking on the “+” icon.
  6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
  7. Select the type of template you want to create.

Custom websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

  1. Select CMDB>Anonymity Network.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Anonymity Network Group
  3. Enter Group and add Description. Click OK to create the folder under Anonymity Networks.
  4. Select the folder just created.
  5. Select Import from a file.
  6. Click Browse; enter the file name and click Upload.
  7. The imported data will show on the right pane.

Custom websites – CSV data – programmatic import

This requires that the web site data is

  1. Select CMDB > Anonymity Networks.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Anonymity Network Group
  3. Enter Group and add Description. Click OK to create the folder under Anonymity Networks.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the IP is in third position, then choose 3 in the Position
    7. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

New Websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. After the class has been written and fully tested for correctness, follw these steps.

  1. Select CMDB > Anonymity Networks.
  2. Click on the “+” button on the left navigation tree to bring up the Create New Anonymity Network Group
  3. Enter Group and add Description. Click OK to create the folder under Anonymity Networks.
  4. Select the folder just created.
  5. Select Update via API
  6. For Website, Click Add.
  7. In the Data Mapping dialog:
    1. Enter the URL of the website
    2. Enter User Name and Password (optional)
    3. For Plugin class, the custom Java class for this case.
    4. Enter the correct Field separator (by default it is a comma)
    5. Select CSV as the Data Format
    6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the IP address is in third position, then choose 3 in the Position g. Click Save
  8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
  9. The imported data will show on the right pane after some time.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.