Integrate a Fortinet FortiSIEM On-Premises Device
Configure a Fortinet FortiSIEM on-premises device to pull IOCs from Threat Command.
The following table shows device-specific integration characteristics:
| Characteristic | Description |
|---|---|
| IOC types | Domains, file hashes (MD5, SHA-1, and SHA-256), IP addresses, and URLs. |
| IOC group limitation | Each IOC group can contain only one type of IOC. For multiple types, create multiple IOC groups. |
| Device IOC limit | The device is limited to 300,000 IOCs. |
Imported IOCs are accepted/monitored. You can create a policy to block those IOCs.
To integrate the device, perform these steps (described in the following sections):
- Add the device to the Threat Command virtual appliance.
- Configure the device to pull IOCs from Threat Command.
Add a Fortinet FortiSIEM on-premises device
The procedure to add the device to Threat Command is different depending on the version of the Threat Command virtual appliance in your environment. To determine which version is running, see Determine the Version of Virtual Appliance.
Add the on-premises device
Add the device in virtual appliance v3.9
Prerequisites:
- The Threat Command virtual appliance web interface is configured and you can access it.
- You have the credentials to access the device.
- You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
To add the device to Threat Command:
- From an internet browser, navigate to https://<virtual appliance IP address>
- Log in to the virtual appliance using the web access username and password.
- From the Devices page, click Devices (Pull).
- Click Add new device.
- In the Devices (Pull) screen, set up the new device:
- Type a user-defined, unique device name.
- Select the device type.
- Click Create.
- Verify that the new device was added:
- Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
- From the main menu, select Automation > Integrations.
If this window is already open, refresh it by selecting Automation > Integrations from the menu.
The new device is displayed in the On-Premises tab.
Add the device in virtual appliance v4.0
Prerequisites:
- You have the credentials to access the Threat Command virtual appliance web interface.
- You have the credentials to access the device.
- You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
To add the device to Threat Command:
- Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
- From the main menu, select Automation > Integrations.
- From the Integrations page, click On-Premises.
- Click Add new device.
- In the Add New On-Premises Device dialog, type a user-defined name for the device.
The name can contain a maximum of 50 letters, spaces, numbers, and underscores. - Select the Device type.
The default device IOCs limit is displayed. - (Optional) You can change the IOCs limit.
- Click Add.
- To verify that the new device is added, refresh the Automation > Integrations page.
Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.
Configure a FortiSIEM device to pull IOCs
After a device has been added to the Threat Command virtual appliance, you must enable it to pull IOCs from Threat Command.
Configuration for on-premises devices
When configuring an on-premises device, it is important to know which version of the Threat Command virtual appliance is running in your environment. This will affect which Rapid7 URL is displayed in the Device Details screen and also which URL to copy into the device management console.
When running version 4.0 or later, the Legacy URL should be used only with Rapid7 support.
To determine which version of the virtual appliance is running, see Determine the version of virtual appliance.
Prerequisites
- You have the device login credentials.
- The device has been added.
- You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
- An IOC group for this device exists in Threat Command.
Creating IOC groups is described in Create an IOC group
Due to device limitations, IOC groups can consist of only one type of IOC. To support more than one type (domains, IP addresses, etc.), create multiple IOC groups.
To pull IOCs into FortiSIEM, you must set up a separate FortiSIEM resource group for each Threat Command IOC group. The process of creating different forms of FortiSIEM groups is very similar and is described together. The small differences are noted in the description.
To configure a FortiSIEM device to pull IOCs:
- From Threat Command, copy the IOC group URL:
- From the Threat Command main menu, select Automation > Integrations.
- From the On-Premises device list, select the FortiSIEM device.
- Click the link icon to the far right of the device IOC group.
- From the IOC Group URL dialog box, copy the URL.
- (Optional) To ensure that the IOC group contains values, hover over the IOC group line, then click the information icon.
If the IOC list is not populated, stop, and then try again.
- Log in to the FortiSIEM management console.
- From the main menu, click Resource.
The task description will continue with the Malware Domains resource group, to match the Threat Command domains IOC group. The same steps are used for the other resource groups. - In the Resources menu, click Malware Domains (label 1).
The list of currently defined malware domains groups is displayed.
- Click + (label 2) to create a new group.
- In the Create New Malware Domain Group dialog, type a name and a description (optional), then click Save.
In our example, the resource was named IntSights1_Domains. - Expand the Manage Domains section and select the new resource (label 1 IntSghts1_Domains), then click More > Update (label 2).
- In the Update Malware Domain dialog, select Update via API, then click the URL edit icon.
The dialog box expands to display additional parameters.
- Enter the details for the resource group, as described in Resource tables. (This is the only step where creating resource groups differs.)
- Click Save.
- In the Update Malware Domain dialog, click the Schedule + icon.
The dialog box expands to display additional parameters.
- Set a schedule and recurrence pattern for when FortiSIEM should pull the IOCs, then click Save.
- Click Close.
- To verify that IOCs are uploaded to FortiSIEM go to the resource you created and verify that IOCs are populated in the table.
For example:
Resource group tables
Use these tables for the input for the resource group details:
Update Malware Domain values
| Field in update dialog | Enter this |
|---|---|
| URL | Paste URL from the domains IOC group in the Threat Command Integrations page. - Replace [APPLIANCE_IP] with the IP address of your Threat Command virtual appliance. - Ensure that the port matches the port in use. |
| User Name | Leave blank |
| Password | Leave blank |
| Plug-in Class | Leave as-is |
| Field Separator | Type a comma (this is the default) |
| Data Format | CSV |
| Date Update | Select Full |
| Data Mapping | Select Domain Name and Position = 1 |
Update Malware IP values
| Field in update dialog | Enter this |
|---|---|
| URL | Paste URL from the IP address IOC group in the Threat Command Integrations page. - Replace [APPLIANCE_IP] with the IP address of your Threat Command virtual appliance. - Ensure that the port matches the port in use. |
| User Name | Leave blank |
| Password | Leave blank |
| Plug-in Class | Leave as-is |
| Field Separator | Type a dash (this is the default) |
| Data Format | CSV |
| Date Update | Select Full |
| Data Mapping | Select Low IP and Position = 1 |
Update Malware URL values
| Field in update dialog | Enter this |
|---|---|
| URL | Paste URL from the URLs IOC group in the Threat Command Integrations page. - Replace [APPLIANCE_IP] with the IP address of your Threat Command virtual appliance. - Ensure that the port matches the port in use. |
| User Name | Leave blank |
| Password | Leave blank |
| Plug-in Class | Leave as-is |
| Field Separator | Type a comma (this is the default) |
| Data Format | CSV |
| Date Update | Select Full |
| Data Mapping | Select URL and Position = 1 |
Update Malware Hashes values
| Field in update dialog | Enter this |
|---|---|
| URL | Paste URL from the Hashes IOC group in the Threat Command Integrations page. - Replace [APPLIANCE_IP] with the IP address of your Threat Command virtual appliance. - Ensure that the port matches the port in use. |
| User Name | Leave blank |
| Password | Leave blank |
| Plug-in Class | Leave as-is |
| Field Separator | Type a comma (this is the default) |
| Data Format | CSV |
| Date Update | Select Full |
| Data Mapping | - Select Botnet Name and Position = 1 - Select Algorithm and Position = 2 - Select HashCode and Position = 3 |