Hello FortiSIEM Community,
I am working on a use case where I need to collect threat feed data from a 3rd party application and ingest it into the FortiSIEM platform. I came across the Python Threat Feed Framework, which mentions creating integrations for data collection.
However, I have some clarifications regarding my scenario. I have over more than 10 different threat lists, each with its own API. These threat lists contain various Indicators of Compromise (IoC), such as IPs, domains, URLs, and hashes, but the data is structured differently. Instead of having direct IoC information like IPs, domains, or hashes, each threat list provides its own unique API endpoint that returns a set of IoCs for that list.
Given this setup:
- Can the Python Threat Feed Framework support the ingestion of this data? Specifically, will it allow me to collect the IoC data from these multiple threat lists while each threat list contains the list of IoC?
- Can I directly ingest this API data as events in FortiSIEM?
If not, what would the process look like to search for specific IoCs from these threat lists (such as IPs, domains, URLs, or hashes) in FortiSIEM's Analytics tab once the data is ingested?
Any guidance on how to structure this integration or additional resources would be greatly appreciated!
Thanks in advance!
