Help
FortiSIEM Discussions
Kunj
New Contributor

Created on ‎01-08-2025 05:11 AM

VirusTotal Integration in FortiSIEM

Can anyone please explain the features which are available in VirusTotal Integration in FortiSIEM.

Does it support automatic enrichment of incidents/events using VirusTotal API?

503
0 Kudos
5 REPLIES 5
premchanderr
Staff
Staff

Created on ‎01-23-2025 02:16 AM

Hi @Kunj ,

 

All details regarding VirusTotal Integration are published in below document:

Integration Settings - VirusTotal : 

https://help.fortinet.com/fsiem/7-1-3/Online-Help/HTML5_Help/Integration-settings.htm#VirusTot2

 

VirusTotal Incident Outbound Integration:

 https://help.fortinet.com/fsiem/7-2-1/Online-Help/HTML5_Help/External_lookup_RiskIQ_VirusTotal.htm

 

System Settings - Lookup :

 https://help.fortinet.com/fsiem/7-2-1/Online-Help/HTML5_Help/System_Settings.htm#Lookup

 

You can integrate VirusTotal with FortiSIEM using the sections available in GUI.

Also link the integration to an automation policy, so that the integration runs when the automation policy triggers.

Regards,
Prem Chander R
438
0 Kudos
Kunj
New Contributor
In response to premchanderr

Created on ‎01-23-2025 10:24 PM

Thanks for the detailed information, @premchanderr ,
I’ve gone through the documentation, but I’m still unsure about a couple of things. Specifically, does the VirusTotal integration enrich data and store it in the Lookup files? Or does it store the enrichment data directly in the incident comments?
I’d appreciate any further clarification on this.
Thanks again!

399
0 Kudos
FSM_FTNT
Staff
Staff

Created on ‎01-28-2025 01:54 PM

Make sure you have configured the FortiGuard and the VirusTotal External integration under Admin / Settings / External Integration

 

If you also check under Admin / Settings / Automation policy and then External Integration you can use it to add the VirusTotal summary info to the Incident.

 

When looking at an incident and get the slide in with the incident details it will also provide information on what FortiGuard and VirusTotal know about the IOC (IP, domain,) and uses it as part of the overall rating of the IoC. You can manually add this information to the Incidnet.

When viewing the incidents and there is an IP that has the malicious (looks like a bug) icon next to it, the would have been enriched and evaluated once the incident was generated. This information is then cached locally on the super and periodically refreshed.

 

 

347
0 Kudos
Kunj
New Contributor
In response to FSM_FTNT

Created on ‎01-30-2025 02:40 AM

Thanks @FSM_FTNT for your reply,
Can we use the locally stored/cached enriched data to create dashboards?

314
0 Kudos
FSM_FTNT
Staff
Staff

Created on ‎01-30-2025 03:57 AM

Afraid not, this is a special case.

 

What would you want the dashboard to show? Maybe there is another way we can achieve it.

310
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.