Fortinet white logo
Fortinet white logo

Administration Guide

Detection Devices

Detection Devices

The Detection Devices page allows you to configure integrations with FortiSandbox, Cuckoo Sandbox, and Virus Total devices.

FortiSandbox

The integration between FortiDeceptor and FortiSandbox will provide a complete static and dynamic analysis against malicious code captured by the network decoys. The malware analysis report will be available on the FortiDeceptor admin console.

To configure integration with FortiSandbox:
  1. Go to Fabric > Detection Devices.
  2. Enable FortiSandbox.
  3. Configure the following parameters:

    Type

    Select Appliance or Cloud.

    IP/URLType the FortiSandbox appliance or cloud IP address or URL
    PortType the FortiSandbox API port. Default is 443.
    UsernameType the API username for the FortiDeceptor appliance. You can configure the API username in FortiSandbox.
    PasswordType the API password for the FortiDeceptor appliance. You can configure the API password in FortiSandbox.

    Token Access

    Type the Token for FortiSandbox Cloud. You can find this in FortiSandbox Cloud CLI with the following command: login-token

    User ID

    Type the FortiSandbox Cloud User ID.

  4. Click the Test button to ensure the API connection is working properly.
  5. Click Save to store the configuration

Cuckoo Sandbox

The integration between FortiDeceptor and Cuckoo Sandbox will provide a complete static and dynamic analysis against malicious code captured by the network decoys. The malware analysis report will be available on the FortiDeceptor admin console.

To configure integration with Cuckoo Sandbox:
  1. Go to Fabric > Detection Devices.
  2. Enable Cuckoo Sandbox .
  3. Configure the following parameters:
    NameThe Fabric connector name
    IP/URLType the Cuckoo Sandbox IP address or URL
    PortType the Cuckoo SandboxAPI port. (default is 1337)
    API Token Type the API Token located in the Cuckoo Sandbox's configuration file.
  4. Click on the Test button to ensure the API connection is working properly.
  5. Click Save to store the configuration

Virus Total

The integration between FortiDeceptor and the well-known Virus Total service allows the submission of suspicious files (MD5) for malware analysis. When integrated, Virus Total detection ratios will be displayed in the incident analysis alert Workflow for relevant events.

Virus Total engages with multiple service providers to perform the same file inspection. Some service providers return a score of 0, meaning it is not malware, whereas other providers return a score of 1, meaning it is malware. Virus Total then returns a ratio such as 15/36 that indicates 15 out of 36 service providers determined the file is malware.

To configure integration with VirusTotal:
  1. Join the VirusTotal Community.
  2. In your personal settings section find your personal API key in your personal settings section.
  3. Go to Fabric > Detection Devices.
  4. Enable VirusTotal.
  5. In VT API Key field enter the your Virus Total personal API key.
  6. Click Save.

Detection Devices

Detection Devices

The Detection Devices page allows you to configure integrations with FortiSandbox, Cuckoo Sandbox, and Virus Total devices.

FortiSandbox

The integration between FortiDeceptor and FortiSandbox will provide a complete static and dynamic analysis against malicious code captured by the network decoys. The malware analysis report will be available on the FortiDeceptor admin console.

To configure integration with FortiSandbox:
  1. Go to Fabric > Detection Devices.
  2. Enable FortiSandbox.
  3. Configure the following parameters:

    Type

    Select Appliance or Cloud.

    IP/URLType the FortiSandbox appliance or cloud IP address or URL
    PortType the FortiSandbox API port. Default is 443.
    UsernameType the API username for the FortiDeceptor appliance. You can configure the API username in FortiSandbox.
    PasswordType the API password for the FortiDeceptor appliance. You can configure the API password in FortiSandbox.

    Token Access

    Type the Token for FortiSandbox Cloud. You can find this in FortiSandbox Cloud CLI with the following command: login-token

    User ID

    Type the FortiSandbox Cloud User ID.

  4. Click the Test button to ensure the API connection is working properly.
  5. Click Save to store the configuration

Cuckoo Sandbox

The integration between FortiDeceptor and Cuckoo Sandbox will provide a complete static and dynamic analysis against malicious code captured by the network decoys. The malware analysis report will be available on the FortiDeceptor admin console.

To configure integration with Cuckoo Sandbox:
  1. Go to Fabric > Detection Devices.
  2. Enable Cuckoo Sandbox .
  3. Configure the following parameters:
    NameThe Fabric connector name
    IP/URLType the Cuckoo Sandbox IP address or URL
    PortType the Cuckoo SandboxAPI port. (default is 1337)
    API Token Type the API Token located in the Cuckoo Sandbox's configuration file.
  4. Click on the Test button to ensure the API connection is working properly.
  5. Click Save to store the configuration

Virus Total

The integration between FortiDeceptor and the well-known Virus Total service allows the submission of suspicious files (MD5) for malware analysis. When integrated, Virus Total detection ratios will be displayed in the incident analysis alert Workflow for relevant events.

Virus Total engages with multiple service providers to perform the same file inspection. Some service providers return a score of 0, meaning it is not malware, whereas other providers return a score of 1, meaning it is malware. Virus Total then returns a ratio such as 15/36 that indicates 15 out of 36 service providers determined the file is malware.

To configure integration with VirusTotal:
  1. Join the VirusTotal Community.
  2. In your personal settings section find your personal API key in your personal settings section.
  3. Go to Fabric > Detection Devices.
  4. Enable VirusTotal.
  5. In VT API Key field enter the your Virus Total personal API key.
  6. Click Save.