Hello Team, I was gaining knowledge about incidents and I came to know that we can setup an external lookup tool like Virustotal from which we can repudiate the IOCs. I am curious to know that how we can build a custom external lookup tool which can be used just like Virustotal for enrichment. Questionas are as below: Can that only be created by FortiSIEM platform team or I as developer can develop this and than submit to FortiSIEM by developing on my own?If I can develop, what is the procedure or coding best practice must be followed ?Which languages are used in development ?This looks more kind of manual enrichment of each IOC which I select, Can this be automated for every incident ?Feel free to reach out in any kind of clarity over this questions. If anyone has sales team or technical team contact details than please send it over here who can answer these questions. TIA.

Explorer

Question

How to build an external lookup tool

Forum|Forum|1 year ago
January 9, 2025
2 replies
1150 views

Hello Team,

I was gaining knowledge about incidents and I came to know that we can setup an external lookup tool like Virustotal from which we can repudiate the IOCs. I am curious to know that how we can build a custom external lookup tool which can be used just like Virustotal for enrichment. Questionas are as below:

Can that only be created by FortiSIEM platform team or I as developer can develop this and than submit to FortiSIEM by developing on my own?
If I can develop, what is the procedure or coding best practice must be followed ?
Which languages are used in development ?
This looks more kind of manual enrichment of each IOC which I select, Can this be automated for every incident ?

Feel free to reach out in any kind of clarity over this questions.

If anyone has sales team or technical team contact details than please send it over here who can answer these questions.

TIA.

PartBhat

Staff

Two ways to do it

1. Import a Malware IP/Domain/Hash/URL list in FortiSIEM. Then you can use it in rules e.g. destIp IN Malware_IP_Group_1 and ir will be automatically used in Reputation Checks for Incidents (on demand or automated via notification policy)

https://help.fortinet.com/fsiem/7-3-0/Online-Help/HTML5_Help/Importing_malware_ip_information.htm

2. Define in External integrations - only VirusTotal and FortiGuard is supported. there is no programmatic lookup.

https://help.fortinet.com/fsiem/7-3-0/Online-Help/HTML5_Help/External_lookup_RiskIQ_VirusTotal.htm

harshjoshiAuthor

Explorer

This current Virustotal present in FortiSIEM is developed by FortiSIEM team themselves or we can build something like that on our own ? Like as I mentioned I want to create a systemwide Lookup tool exact like Virustotal. How can I do that ? I know how to perform lookup or enrichment, I want to know how can I develop or integrate something like that of my own.

harshjoshiAuthor

Explorer

Can anyone help me with development related questions ?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded