FortiSIEM Discussions
harshjoshi
New Contributor II

How to develop an external lookup tool

Hello Team,

 

I was gaining knowledge about incidents and I came to know that we can setup an external lookup tool like Virustotal from which we can repudiate the IOCs. I am curious to know that how we can build a custom external lookup tool which can be used just like Virustotal for enrichment. I want answers particular to development so answer keeping in mind development. Questions are as below: 

 

  • Can that only be created by FortiSIEM platform team or I as developer can develop this and than submit to FortiSIEM by developing on my own?
  • If I can develop, what is the procedure or coding best practice must be followed ?
  • Which languages are used in development ?
  • This looks more kind of manual enrichment of each IOC which I select, Can this be automated for every incident ?

Feel free to reach out in any kind of clarity over this questions.

 

If anyone has sales team or technical team contact details than please send it over here who can answer these questions.

 

TIA.

1 Solution
FSM_FTNT
Staff
Staff

Hi,

 

The VirusTotal integration is developed using java modules. There is a framework, but currently it doesnt support putting the result in the Incident details slide out, but can be called through the automation policy to enrich incident comments.

What integration were you thinking about adding here?

View solution in original post

8 REPLIES 8
FSM_FTNT
Staff
Staff

Hi,

 

The VirusTotal integration is developed using java modules. There is a framework, but currently it doesnt support putting the result in the Incident details slide out, but can be called through the automation policy to enrich incident comments.

What integration were you thinking about adding here?

harshjoshi
New Contributor II

Thanks for the response @FSM_FTNT ,

Really appreciate your help. I want to create a completely new integration like VirusTotal for external lookup and like threat feed data ingestion. As an external developer can I develop that and submit to FortiSIEM. Or I have to become partner for this or only FortiSIEM developers develop this kind of integrations ?

FSM_FTNT
Staff
Staff

Hi @harshjoshi the two areas you mention use different frameworks:

1) the VT, SNow, etc integration uses separate java modules. I'm checking into this further.
2) The threat feed integration is easier as it is a python based framework that expanded in 7.2.0 https://docs.fortinet.com/document/fortisiem/7.2.0/release-notes/553241/whats-new-in-7-2-0 and you can copy and replace these scripts if you need to integrate. Simple CSV and STIX is already supported

harshjoshi
New Contributor II

Thanks for the response @FSM_FTNT,

FortiSIEM has it's own marketplace like splunk ? Or it is providing integrations with new release of FortiSIEM platfomr, where all the integrations by default installed ? And again I'm asking that can I develop any new external configure on my own and publish or this external integration or this can only be developed by FortiSIEM developers only ?

FSM_FTNT
Staff
Staff

there isnt a market place currently. FortiSIEM ships with integrations built-in, but custom integrations are supported and you are welcome to share via the forum for the time being.

You can create parsers as needed and if you need to integrate with an API we have this option https://docs.fortinet.com/document/fortisiem/7.3.0/external-systems-configuration-guide/412973/gener...

Regarding point #2, here is the framework docs for the threat feed integration https://help.fortinet.com/fsiem/7-1-5/Online-Help/HTML5_Help/python-threatfeedback-framework.htm



Regarding the external integration which is a java based module approach, I am checking on this still.

 

harshjoshi
New Contributor II

Hi @FSM_FTNT ,

Thank you for your response!

I have a few additional questions on the same topic and would really appreciate your guidance.

  1. How can we submit our custom-developed external integration to the forum you mentioned?
  2. Is it possible to create an external integration using a custom protocol? I came across a video where Microsoft had its own protocol named "O365 Mgmt Activity API." Could we follow a similar approach?
  3. What is the exact use case for a custom protocol, and how can one be created? Would it be something that external developers can implement, or is it managed solely by the Fortinet team?
  4. Is there any development guide or reference material available? Additionally, are there any existing external integration code samples that we can review to understand the required files and structure?
  5. Lastly, as an external developer, can I develop an integration independently, or is a partnership license (or any other specific license) required?

I’d really appreciate any insights or resources you could share. Thanks in advance for your time and help!

harshjoshi

Any upadtes @FSM_FTNT ?

 

Secusaurus

Hi @harshjoshi,

 

There is the possibility to write custom Java applications, I got my hands on a simple documentation a while ago. In Java, you have all possibilities, assuming you have a software developer that knows what he's doing ;)

You would then just upload you application in a directory on FSM and reference it in the external integration (you just write the path of your directory in there). As Java code is very easy to retrieve, you might already get your hands on sample code by just extracting the existing integrations on your Supervisor's file system.

 

But: After we had a look through the information, docs and a sample, we moved on to alternatives:

- Most of the things can be solved already with a "remediation script" (although the "remediation" naming is quite distracting here), which uses python and has a lot of possibilities

- Moving further in the SOC and incident handling, FortiSOAR is the way to go

 

And FortiSOAR then answers some of your questions, because for that product, there is a kind of marketplace and independent integrations. I assume that there could be some more coming to this in April as well, since FortiSIEM and FortiSOAR get more and more attraction lately.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner