SIEM & UEBA

Expand all | Collapse all

Threat Intelligence

  • 1.  Threat Intelligence

    Posted 8 days ago

    Hi Guys,

    I saw Fortisiem support external threat intelligence source but of the source are not working with my fortisiem. Here is the list :

    • SANS
    • ThreatStream
    • ThreatConnect
    • TruSTAR
    This 4 source are not working with in my Resource, any suggestion or new URL update for this? Or you guys have another free THREAT INTELLIGENCE resource that can connect to Fortisiem via API?


  • 2.  RE: Threat Intelligence

    Posted 8 days ago
    Muhammad,

    ThreatStream, ThreatConnect, and TruStar are all paid services I believe, so you will need a valid account at those services.  For SANS, you need to run the Update function in the sub-category (for instance the HIGH category), but it appears the original URLs are reaching a site that has been discontinued. Browse to https://isc.sans.edu/feeds/suspiciousdomains_High.txt for example.

    Emerging Threat lists should work.  (http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt).  But you can include any threat feed that allows you to hit a URL that basically presents the information in a clean format like the above list.  Browse to http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt to see what I mean.

    There are also STIX\TAXII options, but it's super simple to pull in a clean list via web if you have them or can find them.  For instance, something like this: https://www.badips.com/get/list/badbots/1?age=7d


  • 3.  RE: Threat Intelligence

    Posted 7 days ago

    Hi Kam,

    Thanks for the suggestion given, one more question did RiskQ still work in Fortisiem because every time i do external lookup never show any indicator of threat, or is it not reliable like Virustotal
     




  • 4.  RE: Threat Intelligence

    Posted 7 days ago
    Muhammad,

    Sorry, I have not used RiskQ, so I cannot answer.  If it is a paid service, you would obviously need an account at RiskQ.



  • 5.  RE: Threat Intelligence

    GROUP ADMIN
    Posted 7 days ago
    Hi Muhammad, Like Karn mentioned Risk IQ is a paid service but they also allow X free lookups per day.

    You need to register for a RiskIQ account on their site and then once logged in get an API key from under the User profile. Once you have this information, setup the integration in FortiSIEM Admin/ General / External Integration

    Profile for External Integration needs to be:

    Type: Incident
    Direction: Outbound
    Vendor: RiskIQ

    then add in the credential from the RiskIQ site.

    should be working ok, I just tested it.

    Thanks

    Dan

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------