Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSOAR
- FortiSIEM
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiSIEM Discussions
- Fortinet Community
- Community Groups
- FortiSIEM
- Discussions
- RE: Threat Intelligence
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Threat Intelligence
Hi Guys,
I saw Fortisiem support external threat intelligence source but of the source are not working with my fortisiem. Here is the list :
- SANS
- ThreatStream
- ThreatConnect
- TruSTAR
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Muhammad,
ThreatStream, ThreatConnect, and TruStar are all paid services I believe, so you will need a valid account at those services. For SANS, you need to run the Update function in the sub-category (for instance the HIGH category), but it appears the original URLs are reaching a site that has been discontinued. Browse to https://isc.sans.edu/feeds/suspiciousdomains_High.txt for example.
Emerging Threat lists should work. (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt). But you can include any threat feed that allows you to hit a URL that basically presents the information in a clean format like the above list. Browse to http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt to see what I mean.
There are also STIX\TAXII options, but it's super simple to pull in a clean list via web if you have them or can find them. For instance, something like this: https://www.badips.com/get/list/badbots/1?age=7d-------------------------------------------
Original Message:
Sent: Oct 15, 2020 04:14 AM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Threat Intelligence
ThreatStream, ThreatConnect, and TruStar are all paid services I believe, so you will need a valid account at those services. For SANS, you need to run the Update function in the sub-category (for instance the HIGH category), but it appears the original URLs are reaching a site that has been discontinued. Browse to https://isc.sans.edu/feeds/suspiciousdomains_High.txt for example.
Emerging Threat lists should work. (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt). But you can include any threat feed that allows you to hit a URL that basically presents the information in a clean format like the above list. Browse to http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt to see what I mean.
There are also STIX\TAXII options, but it's super simple to pull in a clean list via web if you have them or can find them. For instance, something like this: https://www.badips.com/get/list/badbots/1?age=7d-------------------------------------------
Original Message:
Sent: Oct 15, 2020 04:14 AM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Threat Intelligence
Hi Guys,
I saw Fortisiem support external threat intelligence source but of the source are not working with my fortisiem. Here is the list :
- SANS
- ThreatStream
- ThreatConnect
- TruSTAR
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kam,
Thanks for the suggestion given, one more question did RiskQ still work in Fortisiem because every time i do external lookup never show any indicator of threat, or is it not reliable like Virustotal
Original Message:
Sent: Oct 15, 2020 09:30 AM
From: Karn Griffen
Subject: Threat Intelligence
Muhammad,
ThreatStream, ThreatConnect, and TruStar are all paid services I believe, so you will need a valid account at those services. For SANS, you need to run the Update function in the sub-category (for instance the HIGH category), but it appears the original URLs are reaching a site that has been discontinued. Browse to https://isc.sans.edu/feeds/suspiciousdomains_High.txt for example.
Emerging Threat lists should work. (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt). But you can include any threat feed that allows you to hit a URL that basically presents the information in a clean format like the above list. Browse to http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt to see what I mean.
There are also STIX\TAXII options, but it's super simple to pull in a clean list via web if you have them or can find them. For instance, something like this: https://www.badips.com/get/list/badbots/1?age=7d
Original Message:
Sent: Oct 15, 2020 04:14 AM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Threat Intelligence
Hi Guys,
I saw Fortisiem support external threat intelligence source but of the source are not working with my fortisiem. Here is the list :
- SANS
- ThreatStream
- ThreatConnect
- TruSTAR
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Muhammad,
Sorry, I have not used RiskQ, so I cannot answer. If it is a paid service, you would obviously need an account at RiskQ.
-------------------------------------------
Original Message:
Sent: Oct 16, 2020 01:03 AM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Threat Intelligence
Original Message:
Sent: Oct 15, 2020 09:30 AM
From: Karn Griffen
Subject: Threat Intelligence
Muhammad,
ThreatStream, ThreatConnect, and TruStar are all paid services I believe, so you will need a valid account at those services. For SANS, you need to run the Update function in the sub-category (for instance the HIGH category), but it appears the original URLs are reaching a site that has been discontinued. Browse to https://isc.sans.edu/feeds/suspiciousdomains_High.txt for example.
Emerging Threat lists should work. (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt). But you can include any threat feed that allows you to hit a URL that basically presents the information in a clean format like the above list. Browse to http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt to see what I mean.
There are also STIX\TAXII options, but it's super simple to pull in a clean list via web if you have them or can find them. For instance, something like this: https://www.badips.com/get/list/badbots/1?age=7d
Original Message:
Sent: Oct 15, 2020 04:14 AM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Threat Intelligence
Sorry, I have not used RiskQ, so I cannot answer. If it is a paid service, you would obviously need an account at RiskQ.
-------------------------------------------
Original Message:
Sent: Oct 16, 2020 01:03 AM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Threat Intelligence
Hi Kam,
Thanks for the suggestion given, one more question did RiskQ still work in Fortisiem because every time i do external lookup never show any indicator of threat, or is it not reliable like Virustotal
Original Message:
Sent: Oct 15, 2020 09:30 AM
From: Karn Griffen
Subject: Threat Intelligence
Muhammad,
ThreatStream, ThreatConnect, and TruStar are all paid services I believe, so you will need a valid account at those services. For SANS, you need to run the Update function in the sub-category (for instance the HIGH category), but it appears the original URLs are reaching a site that has been discontinued. Browse to https://isc.sans.edu/feeds/suspiciousdomains_High.txt for example.
Emerging Threat lists should work. (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt). But you can include any threat feed that allows you to hit a URL that basically presents the information in a clean format like the above list. Browse to http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt to see what I mean.
There are also STIX\TAXII options, but it's super simple to pull in a clean list via web if you have them or can find them. For instance, something like this: https://www.badips.com/get/list/badbots/1?age=7d
Original Message:
Sent: Oct 15, 2020 04:14 AM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Threat Intelligence
Hi Guys,
I saw Fortisiem support external threat intelligence source but of the source are not working with my fortisiem. Here is the list :
- SANS
- ThreatStream
- ThreatConnect
- TruSTAR
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Muhammad, Like Karn mentioned Risk IQ is a paid service but they also allow X free lookups per day.
You need to register for a RiskIQ account on their site and then once logged in get an API key from under the User profile. Once you have this information, setup the integration in FortiSIEM Admin/ General / External Integration
Profile for External Integration needs to be:
Type: Incident
Direction: Outbound
Vendor: RiskIQ
then add in the credential from the RiskIQ site.
should be working ok, I just tested it.
Thanks
Dan
------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
-------------------------------------------
Original Message:
Sent: Oct 16, 2020 10:27 AM
From: Karn Griffen
Subject: Threat Intelligence
Muhammad,
Sorry, I have not used RiskQ, so I cannot answer. If it is a paid service, you would obviously need an account at RiskQ.
Original Message:
Sent: Oct 16, 2020 01:03 AM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Threat Intelligence
Original Message:
Sent: Oct 15, 2020 09:30 AM
From: Karn Griffen
Subject: Threat Intelligence
Muhammad,
ThreatStream, ThreatConnect, and TruStar are all paid services I believe, so you will need a valid account at those services. For SANS, you need to run the Update function in the sub-category (for instance the HIGH category), but it appears the original URLs are reaching a site that has been discontinued. Browse to https://isc.sans.edu/feeds/suspiciousdomains_High.txt for example.
Emerging Threat lists should work. (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt). But you can include any threat feed that allows you to hit a URL that basically presents the information in a clean format like the above list. Browse to http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt to see what I mean.
There are also STIX\TAXII options, but it's super simple to pull in a clean list via web if you have them or can find them. For instance, something like this: https://www.badips.com/get/list/badbots/1?age=7d
Original Message:
Sent: Oct 15, 2020 04:14 AM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Threat Intelligence
You need to register for a RiskIQ account on their site and then once logged in get an API key from under the User profile. Once you have this information, setup the integration in FortiSIEM Admin/ General / External Integration
Profile for External Integration needs to be:
Type: Incident
Direction: Outbound
Vendor: RiskIQ
then add in the credential from the RiskIQ site.
should be working ok, I just tested it.
Thanks
Dan
------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
-------------------------------------------
Original Message:
Sent: Oct 16, 2020 10:27 AM
From: Karn Griffen
Subject: Threat Intelligence
Muhammad,
Sorry, I have not used RiskQ, so I cannot answer. If it is a paid service, you would obviously need an account at RiskQ.
Original Message:
Sent: Oct 16, 2020 01:03 AM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Threat Intelligence
Hi Kam,
Thanks for the suggestion given, one more question did RiskQ still work in Fortisiem because every time i do external lookup never show any indicator of threat, or is it not reliable like Virustotal
Original Message:
Sent: Oct 15, 2020 09:30 AM
From: Karn Griffen
Subject: Threat Intelligence
Muhammad,
ThreatStream, ThreatConnect, and TruStar are all paid services I believe, so you will need a valid account at those services. For SANS, you need to run the Update function in the sub-category (for instance the HIGH category), but it appears the original URLs are reaching a site that has been discontinued. Browse to https://isc.sans.edu/feeds/suspiciousdomains_High.txt for example.
Emerging Threat lists should work. (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt). But you can include any threat feed that allows you to hit a URL that basically presents the information in a clean format like the above list. Browse to http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt to see what I mean.
There are also STIX\TAXII options, but it's super simple to pull in a clean list via web if you have them or can find them. For instance, something like this: https://www.badips.com/get/list/badbots/1?age=7d
Original Message:
Sent: Oct 15, 2020 04:14 AM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: Threat Intelligence
Hi Guys,
I saw Fortisiem support external threat intelligence source but of the source are not working with my fortisiem. Here is the list :
- SANS
- ThreatStream
- ThreatConnect
- TruSTAR
Announcements
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
Labels
-
FortiSIEM
94 -
Rules
4 -
ClickHouse
3 -
Agent Linux
3 -
FortiSIEM v6.x
3 -
database
3 -
Parsers
3 -
Collector
3 -
Supervisor
2 -
Incidents
2 -
GUI
2 -
watchlist
2 -
Agent
2 -
fortisiem v7.2.0
2 -
FortiGate
2 -
Collector Agent
2 -
SAML
2 -
cisco wsa
1 -
lookuptables
1 -
FortiSiem 7.1
1 -
Alma Linux 8
1 -
Oracle Linux 8
1 -
Rocky Linux 8
1 -
Redhat 8
1 -
User Control
1 -
Impact
1 -
RBAC
1 -
CMDB
1 -
OPManager
1 -
o
1 -
discovery
1 -
FortiClient
1 -
FortiAuthenticator v5.5
1 -
upgrade
1 -
IPsec
1 -
LDAP
1 -
Report
1 -
integration
1 -
Cisco
1 -
Certificate
1 -
Analytics & Reporting
1 -
Notifications
1 -
Expressions
1 -
Status
1 -
MySQL
1 -
dashboard
1 -
Usage
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.