Malware Patrol + FortiSIEM
Malware Patrol offers (5) Enterprise* feeds formatted for integration into FortiSIEM. This allows users to combine the quality of Fortinet’s SIEM security platform with the protection from our threat intelligence. Customers can choose the feed(s) that meet their needs:
- DNS-over-HTTPS (DoH) Servers (domains)
- Malicious Domains
- Malicious Hashes
- Malicious IPs
- Malware/Ransomware URLs
*These feeds are not available for free or paid blocklists, or Business Protect customers. Find more details about our Enteprise offerings here.
We offer free evaluations of our Enterprise feeds, including those for FortiSIEM. To request your evaluation, complete our request form.
About FortiSIEM
“FortiSIEM brings together visibility, correlation, automated response, and remediation in a single, scalable solution. It reduces the complexity of managing network and security operations to effectively free resources, improve breach detection, and even prevent breaches. What’s more is that [the] architecture enables unified data collection and analytics from diverse information sources including logs, performance metrics, security alerts, and configuration changes. FortiSIEM combines the analytics traditionally monitored in separate silos of the security operations center (SOC) and network operations center (NOC) for a more holistic view of the security and availability of the business.” “FortiGuard Threat Intelligence and Indicators of Compromise (IOC) and Threat Intelligence (TI) feeds from commercial, open source, and custom data sources integrate easily into the security TI framework. This grand unification of diverse sources of data enables organizations to rapidly identify root causes of threats, and take the steps necessary to remediate and prevent them in the future. Steps can often be automated with new Threat Mitigation Libraries for many Fortinet products. External Threat Intelligence Integrations
- APIs for integrating external threat feed intelligence – Malware domains, IPs, URLs, hashes, Tor nodes
- Built-in integration for popular threat intelligence sources – ThreatStream, CyberArk, SANS, Zeus, ThreatConnect
- Technology for handling large threat feeds – incremental download and sharing within cluster, real-time pattern
matching with network traffic. All STIX and TAXII feeds are supported”
Adding External TI to FortiSIEM
DNS-over-HTTPS (DoH) Domains
Benefits of the Malware Patrol DoH Data Feed
We developed this feed to help security teams monitor the use of DoH in their environment. Our tools actively search for new DoH servers on a continuous basis to keep this data fresh. DoH allows users to bypass the DNS-level controls and internet usage policies put in place to protect your network against known threats and threat actors are taking advantage of this by using DoH for C2 server connections, for example. As such, both incoming and outgoing DoH traffic should be closely monitored for indications of malicious activity.
1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.
2) Select Malware Domains from the menu on the left.
3) Click + button at the upper left-hand side of this side menu to add a new Malware Domains group.
4) Enter a group name. We will use Malware Patrol – DoH to distinguish this feed from the Malware Patrol Malicious Domains previously entered.
5) Click save. The Malware Patrol – DoH group will now appear under the Malware Domains section.
6) Select/highlight the Malware Patrol group and then More from the top menu.
7) Select Update from the drop-down menu.
8) On the screen that pops up choose Update via API and click on the edit (pencil) button.
9) Enter the following to set up the feed update:
- URL of your Malware Patrol DoH feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
- Your Malware Patrol portal username and password
- Plugin Class: no changes
- Field separator: ,
- Data format: CSV
- Data update: Full
10) In the Data Mapping section, match the following:
- Domain Name, Position 1
- Description, Position 2
- Last Seen, Position 3
11) Click Save
12) Click on the Schedule: + button
13) On the screen that pops up, enter:
- Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
- Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
- Recurrence:
- Start From: Today’s Date
- End Date: No End Date
- Click Save
14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.
15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process to know which fields are available in the Malware Patrol feed.
Malicious Domains
Benefits of the Malware Patrol Malicious Domains Data Feed
This Malware Patrol feed contains domains actively involved in malicious activities. The data is derived from five of our Enterprise feeds: 1) Anti-Mining, 2) Command & Control (C2) Addresses, 3) Domain Names Generated via DGAs, 4) Malware & Ransomware URLs, and 5) Phishing URLs. Network traffic associated with these domains is highly likely to be malicious.
1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.
2) Select Malware Domains from the menu on the left.
3) Click + button at the upper left-hand side of this side menu to add a new Malware Domains group.
4) Enter a group name. We will use Malware Patrol for this guide.
5) Click save. The Malware Patrol group will now appear under the Malware Domains section. 6) Select/highlight the Malware Patrol group and then More from the top menu.
7) Select Update from the drop-down menu.
8) On the screen that pops up choose Update via API.
9) Click on the edit (pencil) button for the URL.
10) Enter the following to set up the feed update:
- URL of your Malware Patrol Malicious Domains feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
- Your Malware Patrol portal username and password
- Plugin Class: no changes
- Field separator: ,
- Data format: CSV
- Data update: Full
11) In the Data Mapping section, match the following:
- Domain Name, Position 1
- Malware Type, Position 2
- Description, Position 3
- Date Found, Position 4
- Last Seen, Position 5
12) Click Save
13) Click on the Schedule: + button
14) On the screen that pops up, enter:
- Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
- Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
- Recurrence:
- Start From: Today’s Date
- End Date: No End Date
- Click Save
15) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.
16) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.
Malicious IPs
Benefits of the Malware Patrol Malicious IPs Data Feed
This feed contains IP addresses known to actively host malicious files and C2 systems for malware and ransomware. Monitoring traffic destined to them is an effective network protection measure and provides valuable information for threat hunting purposes.
1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.
2) Select Malware IPs from the menu on the left.
3) Click + button at the upper left-hand side of this side menu to add a new Malware IPs group.
4) Enter a group name. We will use Malware Patrol for this guide.
5) Click save. The Malware Patrol group will now appear under the Malware IPs section.
6) Select/highlight the Malware Patrol group and then More from the top menu.
7) Select Update from the drop-down menu.
8) On the next screen, choose Update via API and click on the edit (pencil) button.
9) Enter the following to set up the feed update:
- URL of your Malware Patrol Malicious IPs feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
- Your Malware Patrol portal username and password
- Plugin Class: no changes
- Field separator: ,
- Data format: CSV
- Data update: Full
- Â
10) In the Data Mapping section, match the following:
- Name, Position 1
- Low IP, Position 2
- Malware Type, Position 3
- Description, Position 4
- Date Found, Position 5
- Last Seen, Position 6
11) Click Save
12) Click on the Schedule: + button
13) On the next screen, enter:
- Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
- Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
- Recurrence:
- Start From: Today’s Date
- End Date: No End Date
- Click Save
14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.
15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.
Malware Hashes
Benefits of the Malware Patrol Malware Hashes Data Feed
This feed contains the SHA-1 hashes of malware and ransomware samples currently available on the internet. Encountering these signatures in your environment is a sign of malicious activity.
1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.
2) Select Malware Hash from the menu on the left.
3) Click + button at the upper left-hand side of this side menu to add a new Malware Hash group.
4) Enter a group name. We will use Malware Patrol for this guide.
5) Click save. The Malware Patrol group will now appear under the Malware Hash section.
6) Select/highlight the Malware Patrol group and then More from the top menu.
7) Select Update from the drop-down menu.
8) On the next screen, choose Update via API and click on the edit (pencil) button.
9) Enter the following to set up the feed update:
- URL of your Malware Patrol Malware Hashes feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
- Your Malware Patrol portal username and password
- Plugin Class: no changes
- Field separator: ,
- Data format: CSV
- Data update: Full
10) In the Data Mapping section, match the following:
- Description, Position 1
- Algorithm, Position 2
- HashCode, Position 3
- Malware Type, Position 4
- Date Found, Position 5
- Last Seen, Position 6
11) Click Save
12) Click on the Schedule: + button
13) On the next screen, enter:
- Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
- Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
- Recurrence:
- Start From: Today’s Date
- End Date: No End Date
- Click Save
14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.
15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.
Malware URLs
Benefits of the Malware/Ransomware URLs Data Feed
This feed contains URLs known to be hosting malware binaries. It is updated hourly to remove inactive URLs and add newly detected ones. Correlating this feed with network traffic can pinpoint a potential malware infection.
1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.
2) Select Malware URLs from the menu on the left.
3) Click + button at the upper left-hand side of this menu to add a new Malware URLs group.
4) Enter a group name. We will use Malware Patrol for this guide.
5) Click save. The Malware Patrol group will now appear under the Malware URLs section.
6) Select/highlight the Malware Patrol group and then More from the top menu.
7) Select Update from the drop-down menu.
8) On the next screen, choose Update via API and click on the edit (pencil) button.
9)Â Enter the following to set up the feed update:
- URL of your Malware Patrol Malware URLs feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
- Your Malware Patrol portal username and password
- Plugin Class: no changes
- Field separator: ,
- Data format: CSV
- Data update: Full
10) In the Data Mapping section, match the following:
- URL, Position 1
- Malware Type, Position 2
- Last Seen, Position 3
11) Click Save
12) Click on the Schedule: + button
13) On the next screen, enter:
- Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
- Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
- Recurrence:
- Start From: Today’s Date
- End Date: No End Date
- Click Save
14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.
15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.
If you need any assistance with your FortiSIEM integration, please email support (@) malwarepatrol.net or contact your Account Manager.