Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

HafizJasmi
New Contributor

Threat Intelligence

Hi Guys,

I saw Fortisiem support external threat intelligence source but of the source are not working with my fortisiem. Here is the list :

  • SANS
  • ThreatStream
  • ThreatConnect
  • TruSTAR
This 4 source are not working with in my Resource, any suggestion or new URL update for this? Or you guys have another free THREAT INTELLIGENCE resource that can connect to Fortisiem via API?
1 Solution
KarnGriffen
New Contributor III

Muhammad,

ThreatStream, ThreatConnect, and TruStar are all paid services I believe, so you will need a valid account at those services.  For SANS, you need to run the Update function in the sub-category (for instance the HIGH category), but it appears the original URLs are reaching a site that has been discontinued. Browse to https://isc.sans.edu/feeds/suspiciousdomains_High.txt for example.

Emerging Threat lists should work.  (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt).  But you can include any threat feed that allows you to hit a URL that basically presents the information in a clean format like the above list.  Browse to http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt to see what I mean.

There are also STIX\TAXII options, but it's super simple to pull in a clean list via web if you have them or can find them.  For instance, something like this: https://www.badips.com/get/list/badbots/1?age=7d

View solution in original post

4 REPLIES 4
KarnGriffen
New Contributor III

Muhammad,

ThreatStream, ThreatConnect, and TruStar are all paid services I believe, so you will need a valid account at those services.  For SANS, you need to run the Update function in the sub-category (for instance the HIGH category), but it appears the original URLs are reaching a site that has been discontinued. Browse to https://isc.sans.edu/feeds/suspiciousdomains_High.txt for example.

Emerging Threat lists should work.  (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt).  But you can include any threat feed that allows you to hit a URL that basically presents the information in a clean format like the above list.  Browse to http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt to see what I mean.

There are also STIX\TAXII options, but it's super simple to pull in a clean list via web if you have them or can find them.  For instance, something like this: https://www.badips.com/get/list/badbots/1?age=7d
HafizJasmi

Hi Kam,

Thanks for the suggestion given, one more question did RiskQ still work in Fortisiem because every time i do external lookup never show any indicator of threat, or is it not reliable like Virustotal
 

KarnGriffen

Muhammad,

Sorry, I have not used RiskQ, so I cannot answer.  If it is a paid service, you would obviously need an account at RiskQ.
FSM_FTNT

Hi Muhammad, Like Karn mentioned Risk IQ is a paid service but they also allow X free lookups per day.

You need to register for a RiskIQ account on their site and then once logged in get an API key from under the User profile. Once you have this information, setup the integration in FortiSIEM Admin/ General / External Integration

Profile for External Integration needs to be:

Type: Incident
Direction: Outbound
Vendor: RiskIQ

then add in the credential from the RiskIQ site.

should be working ok, I just tested it.

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------