Hello Team, I was gaining knowledge about incidents and I came to know that we can setup an external lookup tool like Virustotal from which we can repudiate the IOCs. I am curious to know that how we can build a custom external lookup tool which can be used just like Virustotal for enrichment. I want answers particular to development so answer keeping in mind development. Questions are as below: Can that only be created by FortiSIEM platform team or I as developer can develop this and than submit to FortiSIEM by developing on my own?If I can develop, what is the procedure or coding best practice must be followed ?Which languages are used in development ?This looks more kind of manual enrichment of each IOC which I select, Can this be automated for every incident ?Feel free to reach out in any kind of clarity over this questions. If anyone has sales team or technical team contact details than please send it over here who can answer these questions. TIA.

Explorer

Solved

How to develop an external lookup tool

Forum|Forum|1 year ago
January 23, 2025
4 replies
2011 views

Hello Team,

I was gaining knowledge about incidents and I came to know that we can setup an external lookup tool like Virustotal from which we can repudiate the IOCs. I am curious to know that how we can build a custom external lookup tool which can be used just like Virustotal for enrichment. I want answers particular to development so answer keeping in mind development. Questions are as below:

Can that only be created by FortiSIEM platform team or I as developer can develop this and than submit to FortiSIEM by developing on my own?
If I can develop, what is the procedure or coding best practice must be followed ?
Which languages are used in development ?
This looks more kind of manual enrichment of each IOC which I select, Can this be automated for every incident ?

Feel free to reach out in any kind of clarity over this questions.

If anyone has sales team or technical team contact details than please send it over here who can answer these questions.

TIA.

Best answer by FSM_FTNT

Hi,

The VirusTotal integration is developed using java modules. There is a framework, but currently it doesnt support putting the result in the Incident details slide out, but can be called through the automation policy to enrich incident comments.

What integration were you thinking about adding here?

FSM_FTNTAnswer

Staff

Hi,

The VirusTotal integration is developed using java modules. There is a framework, but currently it doesnt support putting the result in the Incident details slide out, but can be called through the automation policy to enrich incident comments.

What integration were you thinking about adding here?

harshjoshiAuthor

Explorer

Thanks for the response @FSM_FTNT ,

Really appreciate your help. I want to create a completely new integration like VirusTotal for external lookup and like threat feed data ingestion. As an external developer can I develop that and submit to FortiSIEM. Or I have to become partner for this or only FortiSIEM developers develop this kind of integrations ?

FSM_FTNT

Staff

Hi @harshjoshi the two areas you mention use different frameworks:

1) the VT, SNow, etc integration uses separate java modules. I'm checking into this further.
2) The threat feed integration is easier as it is a python based framework that expanded in 7.2.0 https://docs.fortinet.com/document/fortisiem/7.2.0/release-notes/553241/whats-new-in-7-2-0 and you can copy and replace these scripts if you need to integrate. Simple CSV and STIX is already supported

harshjoshiAuthor

Explorer

Thanks for the response @FSM_FTNT,

FortiSIEM has it's own marketplace like splunk ? Or it is providing integrations with new release of FortiSIEM platfomr, where all the integrations by default installed ? And again I'm asking that can I develop any new external configure on my own and publish or this external integration or this can only be developed by FortiSIEM developers only ?

FSM_FTNT

Staff

there isnt a market place currently. FortiSIEM ships with integrations built-in, but custom integrations are supported and you are welcome to share via the forum for the time being.

You can create parsers as needed and if you need to integrate with an API we have this option https://docs.fortinet.com/document/fortisiem/7.3.0/external-systems-configuration-guide/412973/generic-log-api-poller-https-advanced-integration

Regarding point #2, here is the framework docs for the threat feed integration https://help.fortinet.com/fsiem/7-1-5/Online-Help/HTML5_Help/python-threatfeedback-framework.htm

Regarding the external integration which is a java based module approach, I am checking on this still.

harshjoshiAuthor

Explorer

Hi @FSM_FTNT ,

Thank you for your response!

I have a few additional questions on the same topic and would really appreciate your guidance.

How can we submit our custom-developed external integration to the forum you mentioned?
Is it possible to create an external integration using a custom protocol? I came across a video where Microsoft had its own protocol named "O365 Mgmt Activity API." Could we follow a similar approach?
What is the exact use case for a custom protocol, and how can one be created? Would it be something that external developers can implement, or is it managed solely by the Fortinet team?
Is there any development guide or reference material available? Additionally, are there any existing external integration code samples that we can review to understand the required files and structure?
Lastly, as an external developer, can I develop an integration independently, or is a partnership license (or any other specific license) required?

I’d really appreciate any insights or resources you could share. Thanks in advance for your time and help!

harshjoshiAuthor

Explorer

Any upadtes @FSM_FTNT ?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded