Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

IOC Package

Indicator of Compromise (IOC), in computer forensics, is an artifact observed on a network or in an operating system which indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, malware files or URLs MD5 hashes, or domain names of botnet command and control servers. In order to share, store and analyze in a consistent manner, Structured Threat Information Expression (STIX„) is commonly adopted by the industry.

FortiSandbox supports IOC in STIX v1.2 format. Two types of IOC packages are generated:

  1. A File Hash Watchlist package contains the Malware's file hash and is generated along with each Malware package. If the malware is detected in local unit, behavioral information is also included. The most recent package can be downloaded from Scan Input > Global Network or Scan Input > Local Packages, depending on if the unit joins a Global Threat Network.
  2. A URL Watchlist package contains the Malware's download URL and is generated along with each URL Package. It also contains URLs sent by FortiMail devices of suspicious ratings and whose scan depth is 0. The most recent package can be downloaded from Scan Policy > Global Network or Scan Policy > Local Packages, depending on if the unit joins a Global Threat Network. Behavioral information is not included in URL package.

The following is a example snippet of a File Hash Watchlist ICO package in STIX format:

<stix:STIX_Package

xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"

xmlns:FortiSandbox="http://www.fortinet.com"

xmlns:cybox="http://cybox.mitre.org/cybox-2"

xmlns:cyboxCommon="http://cybox.mitre.org/common-2"

xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"

xmlns:indicator="http://stix.mitre.org/Indicator-2"

xmlns:stix="http://stix.mitre.org/stix-1"

xmlns:stixCommon="http://stix.mitre.org/common-1"

xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"

xmlns:ttp="http://stix.mitre.org/TTP-1"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="FortiSandbox:Package-ba2ad205-b390-40fd-96e4-44c2efaacab1" version="1.2">

<stix:STIX_Header/>

<stix:Indicators>

<stix:Indicator id="FortiSandbox:indicator-7d3e889e-957c-428c-9f68-8e48d3346316" timestamp="2016-08-12T18:25:52.674621+00:00" xsi:type='indicator:IndicatorType'>

<indicator:Title>File hash for Suspected High Risk - Riskware</indicator:Title>

<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>

<indicator:Observable id="FortiSandbox:Observable-723483db-a3e0-4de0-93cd-5bd37b3c4611">

<cybox:Object id="FortiSandbox:File-3d9e7590-b479-4352-9a11-8fa313cee9f0">

<cybox:Properties xsi:type="FileObj:FileObjectType">

<FileObj:Hashes>

<cyboxCommon:Hash>

<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>

<cyboxCommon:Simple_Hash_Value condition="Equals">0696e7ec6646977967f2c6f4dcb641473e76b4d5c9beb6e433e0229c2accec5d</cyboxCommon:Simple_Hash_Value>

</cyboxCommon:Hash>

</FileObj:Hashes>

</cybox:Properties>

</cybox:Object>

</indicator:Observable>

<indicator:Indicated_TTP>

<stixCommon:TTP idref="FortiSandbox:ttp-afa9d28b-9602-4936-8b94-93e29cc8830c" xsi:type='ttp:TTPType'/>

</indicator:Indicated_TTP>

</stix:Indicator>

</stix:Indicators>

<stix:TTPs>

<stix:TTP id="FortiSandbox:ttp-afa9d28b-9602-4936-8b94-93e29cc8830c" timestamp="2016-08-12T18:25:52.674181+00:00" xsi:type='ttp:TTPType'>

<ttp:Title>Suspected High Risk - Riskware</ttp:Title>

<ttp:Behavior>

<ttp:Malware>

<ttp:Malware_Instance>

<ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Exploit Kits</ttp:Type>

<ttp:Name>Suspected High Risk - Riskware</ttp:Name>

</ttp:Malware_Instance>

</ttp:Malware>

</ttp:Behavior>

</stix:TTP>

</stix:TTPs>

</stix:STIX_Package>

If the IOC package includes behavior information, it can be very large.

IOC Package

Indicator of Compromise (IOC), in computer forensics, is an artifact observed on a network or in an operating system which indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, malware files or URLs MD5 hashes, or domain names of botnet command and control servers. In order to share, store and analyze in a consistent manner, Structured Threat Information Expression (STIX„) is commonly adopted by the industry.

FortiSandbox supports IOC in STIX v1.2 format. Two types of IOC packages are generated:

  1. A File Hash Watchlist package contains the Malware's file hash and is generated along with each Malware package. If the malware is detected in local unit, behavioral information is also included. The most recent package can be downloaded from Scan Input > Global Network or Scan Input > Local Packages, depending on if the unit joins a Global Threat Network.
  2. A URL Watchlist package contains the Malware's download URL and is generated along with each URL Package. It also contains URLs sent by FortiMail devices of suspicious ratings and whose scan depth is 0. The most recent package can be downloaded from Scan Policy > Global Network or Scan Policy > Local Packages, depending on if the unit joins a Global Threat Network. Behavioral information is not included in URL package.

The following is a example snippet of a File Hash Watchlist ICO package in STIX format:

<stix:STIX_Package

xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"

xmlns:FortiSandbox="http://www.fortinet.com"

xmlns:cybox="http://cybox.mitre.org/cybox-2"

xmlns:cyboxCommon="http://cybox.mitre.org/common-2"

xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"

xmlns:indicator="http://stix.mitre.org/Indicator-2"

xmlns:stix="http://stix.mitre.org/stix-1"

xmlns:stixCommon="http://stix.mitre.org/common-1"

xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"

xmlns:ttp="http://stix.mitre.org/TTP-1"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="FortiSandbox:Package-ba2ad205-b390-40fd-96e4-44c2efaacab1" version="1.2">

<stix:STIX_Header/>

<stix:Indicators>

<stix:Indicator id="FortiSandbox:indicator-7d3e889e-957c-428c-9f68-8e48d3346316" timestamp="2016-08-12T18:25:52.674621+00:00" xsi:type='indicator:IndicatorType'>

<indicator:Title>File hash for Suspected High Risk - Riskware</indicator:Title>

<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type>

<indicator:Observable id="FortiSandbox:Observable-723483db-a3e0-4de0-93cd-5bd37b3c4611">

<cybox:Object id="FortiSandbox:File-3d9e7590-b479-4352-9a11-8fa313cee9f0">

<cybox:Properties xsi:type="FileObj:FileObjectType">

<FileObj:Hashes>

<cyboxCommon:Hash>

<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type>

<cyboxCommon:Simple_Hash_Value condition="Equals">0696e7ec6646977967f2c6f4dcb641473e76b4d5c9beb6e433e0229c2accec5d</cyboxCommon:Simple_Hash_Value>

</cyboxCommon:Hash>

</FileObj:Hashes>

</cybox:Properties>

</cybox:Object>

</indicator:Observable>

<indicator:Indicated_TTP>

<stixCommon:TTP idref="FortiSandbox:ttp-afa9d28b-9602-4936-8b94-93e29cc8830c" xsi:type='ttp:TTPType'/>

</indicator:Indicated_TTP>

</stix:Indicator>

</stix:Indicators>

<stix:TTPs>

<stix:TTP id="FortiSandbox:ttp-afa9d28b-9602-4936-8b94-93e29cc8830c" timestamp="2016-08-12T18:25:52.674181+00:00" xsi:type='ttp:TTPType'>

<ttp:Title>Suspected High Risk - Riskware</ttp:Title>

<ttp:Behavior>

<ttp:Malware>

<ttp:Malware_Instance>

<ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Exploit Kits</ttp:Type>

<ttp:Name>Suspected High Risk - Riskware</ttp:Name>

</ttp:Malware_Instance>

</ttp:Malware>

</ttp:Behavior>

</stix:TTP>

</stix:TTPs>

</stix:STIX_Package>

If the IOC package includes behavior information, it can be very large.