Help
FortiSOAR Discussions
Deep
New Contributor

Created on ‎11-13-2024 12:59 AM

Threat Intel Management - Enable TAXII Server

Hello,

 

I have enabled TAXII Server via Threat Intel Management and configured the TAXII on my FortiGate devices too. The Malicious entries are being synced to FortiGate configurations however facing few issues and need help on below: 

 

1- We had a requirement to add additional picklist types for filehashes i.e. Vhash, SSDEEP, Authentihash for blocking. And added the values too in TIM. It got synced to FortiGate however shows invalid entries unlike other valid entries for Filehash MD5, SHA1. Please guide what is missing here.

 

2-For some FortiGate devices, Threat intel feeds are replicated to some FortiGate devices and are not replicated on some. Please guide what can be the issue and any logs or troubleshooting steps for the same.

TIM.jpg
Preview file
104 KB
809
0 Kudos
4 REPLIES 4
sahirrao
Staff
Staff

Created on ‎11-14-2024 03:12 AM

@Deep We need to troubleshoot the FortiGate to understand how the feeds are being consumed and mapped. We also need to replicate the same scenario in our lab. Please give us some time to do this.

777
0 Kudos
sahirrao
Staff
Staff

Created on ‎11-26-2024 09:16 PM

Apologies for the delayed response.

1. **RCA:**: According to the STIX indicator specification, valid hash types include MD5, SHA-1, SHA-256, and SHA-512. STIX does not support VHash, SSDEEP, or Authentihash. Please map the VHash, SSDEEP, and Authentihash hashes to the appropriate hash types supported by the STIX specification.
 
2. **RCA:** The failure may be due to the following two reasons:
1. Please verify whether the STIX indicator type fields being used in the firewall are present.
2. Each STIX indicator object requires the `pattern`, `pattern_type`, and `valid_from` properties, which are not being provided by the integration and could be causing the failure. Could you clarify which FortiSOAR integration feeds you are attempting to block in the firewall?
648
0 Kudos
Deep
New Contributor
In response to sahirrao

Created on ‎12-12-2024 08:14 AM

Appreciate your reply @sahirrao .

1-Can you please guide on which hash types are they when you say "Please map the VHash, SSDEEP, and Authentihash hashes to the appropriate hash types supported by the STIX specification"

2-The usual IOCs - IP, Domain, etc.

 

537
0 Kudos
sahirrao
Staff
Staff

Created on ‎12-28-2024 08:36 AM

1. VHash, SSDEEP, and Authentihash are not supported by STIX. You can use STIX to represent file hashes with MD5, SHA-1, and SHA-256

2. For IP, Domain STIX indicator object requires the `pattern``pattern_type`, and `valid_from` properties. Please check these property are present in STIX objects.

 

449
0 Kudos
Announcements

Welcome to your new FortiSOAR Community!

View More

Labels
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.