Skip to main content
harshjoshi
harshjoshi
Explorer
January 6, 2025
Question

Want a workflow for implementation

  • January 6, 2025
  • 2 replies
  • 1098 views

Hey there,

 

I have a use case to be implemented in FortiSIEM. So the flow is that I want to filter the events and based on filtered event I want IOCs from that and I want to enrich that particular IOC using API call and store the API response. Using that stored API response I want to create dashboards. So, the questions are as below mentioned

 

  1. How to filter the events ?
  2. Once the events are filtered, How to extract IOC from that event and where to store that to make API call ?
  3. How to make an API call to external lookup tool for that filtered events or IOC ? Like do we have to create any integration ? 
  4. How and where to store API response data so that it can be used to create dashboard
  5. How to create a custom dashboards ?

 

Please guide me to the entire flow how to implement this. Like what should be the idea flow of all this procedure.

    2 replies

    Secusaurus
    Secusaurus
    Contributor III
    January 6, 2025

    Hi @harshjoshi,

     

    These are a lot of steps, adding a lot of complexity and probably raising a lot of questions while trying to answer that.

    I suppose, you will get better answers when asking for specific tasks.

     

    For a start, I would recommend to go through the (free!) Fortinet Trainings "FCP" and "FCSS" for FortiSIEM at https://training.fortinet.com

    That might answer a lot of questions. Especially your question about filterting feels like you might want to look at the basic principles of FSM as well.

     

    Best,

    Christian

    NSE8 | Fortinet Advanced MSSP Partner
    harshjoshi
    harshjoshiAuthor
    Explorer
    January 7, 2025

    Basically I want to enrich log data (eg., IP address, URLs, File hashes etc. basically IOCs) using external lookup tool like Virustotal or Malwarebytes which can provide me detailed information about a particular IOC using API call and After enrichment I want to create dashboard using that data. So, Logs and data used to enrich will be of platform itself and after data is filtered. So I want clarity on the flow that how enrichment can happen using the data present.

    FSM_FTNT
    Staff
    FSM_FTNT
    Staff
    January 7, 2025

    You can do this with FortiGuard and VirusTotal for incidents, but not on events as they are received.

    You need to configure it as per https://help.fortinet.com/fsiem/7-3-0/Online-Help/HTML5_Help/Integration-settings.htm?Highlight=virustotal#Configur9 and then when looking at an Incident (from v 7.2 onwards) in the slide in on the right, any indicators extracted can be reviewed by clicking the icon of a man

    enrich.png
    It isnt practical to do real time lookups and enrichment of events to external services when they are received, if you can imagine thousands of logs being received, an API to lookup in real time wouldnt keep up.

    An alternative would be to enrich the events using lookup tables that are populated on a schedule at query time.

     

      FSM_FTNT
      Staff
      FSM_FTNT
      Staff
      January 6, 2025

      Hi @harshjoshi some of these questions can be addressed with this https://docs.fortinet.com/document/fortisiem/7.3.0/external-systems-configuration-guide/412973/generic-log-api-poller-https-advanced-integration

      use it to monitor an API endpoint, get the results back as an event and then parser, create rules or dashboards on the event.

      Terms & ConditionsAccessibility statement