Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

ThreatConnect

ThreatConnect

Protocol Information Collected Used For
ThreatConnect API Malware Domain, IP, URL and Hash Detect threats for Security and Compliance

Configuring ThreatConnect

Create an API Key to be used for FortiSIEM communication.

The details are here:

https://kb.threatconnect.com/customer/en/portal/articles/2188549-creating-user-accounts

  1. Log in to your ThreatConnect portal as an administrative user.
  2. Go to My Profile > ORG Settings.
  3. Click Create API User.

    These credentials will be created:

    • Access ID
    • Secret Key
  4. Note the Organization Name. You will need it in a later step.
  5. ThreatConnect contains many threat feeds. If you want to get specific threatfeeds, then you must know the threat feeds that are available for your account. You can see these feeds by navigating to Browse > Indicators > My ThreatConnect > Intelligent Sources.

Configuring FortiSIEM to Download IOCs from ThreatConnect

Use the Access ID and Secret Key that were created in the previous section to enable FortiSIEM access.

FortiSIEM can provide the following IOCs from ThreatConnect:

  • Malware Domain
  • Malware IP
  • Malware URL
  • Malware Hash

Follow these steps to set up Malware Domain downloads from ThreatConnect.

  1. Login to FortiSIEM.
  2. Go to RESOURCE > Malware Domain > ThreatConnect Malware Domain.
  3. Click More > Update. Select Update via API.
  4. Enter the following fields
    1. Set User Name to Access ID (Step 3a above).
    2. Set Password to Secret Key (Step 3b above).
    3. Set Data Format to STIX-TAXII.
    4. For Collection:, you have two choices:
    • To get all threatfeeds - enter All:<Organization Name> (Step 4 above), or
    • To get specific threatfeeds, enter comma-separated values of threatfeeds (obtained from Step 6 above).
  5. Set Data Update = Incremental
  • Click Save.
  • Click Schedule to specify how often the threat feed will be updated.
    1. Choose Start time.
    2. Choose Recurrence pattern.
    3. Click Save.
  • Wait until the first scheduled download occurs. Then, navigate to RESOURCE > Malware Domain > ThreatConnect Malware Domain. Downloaded Malware domains will be displayed in the right-hand table. You can use this object in rules and reports to detect hits.
  • Downloading Other IOCs

    The steps for configuring FortiSIEM to download other IOCs are identical, except for the following details:

    • Malware IP—Navigate to RESOURCE > Malware Domain > ThreatConnect Malware IP
    • Malware URL—Navigate to RESOURCE > Malware Domain > ThreatConnect Malware URL
    • Malware Hash—Navigate to RESOURCE > Malware Domain > ThreatConnect Malware Hash

    ThreatConnect

    ThreatConnect

    Protocol Information Collected Used For
    ThreatConnect API Malware Domain, IP, URL and Hash Detect threats for Security and Compliance

    Configuring ThreatConnect

    Create an API Key to be used for FortiSIEM communication.

    The details are here:

    https://kb.threatconnect.com/customer/en/portal/articles/2188549-creating-user-accounts

    1. Log in to your ThreatConnect portal as an administrative user.
    2. Go to My Profile > ORG Settings.
    3. Click Create API User.

      These credentials will be created:

      • Access ID
      • Secret Key
    4. Note the Organization Name. You will need it in a later step.
    5. ThreatConnect contains many threat feeds. If you want to get specific threatfeeds, then you must know the threat feeds that are available for your account. You can see these feeds by navigating to Browse > Indicators > My ThreatConnect > Intelligent Sources.

    Configuring FortiSIEM to Download IOCs from ThreatConnect

    Use the Access ID and Secret Key that were created in the previous section to enable FortiSIEM access.

    FortiSIEM can provide the following IOCs from ThreatConnect:

    • Malware Domain
    • Malware IP
    • Malware URL
    • Malware Hash

    Follow these steps to set up Malware Domain downloads from ThreatConnect.

    1. Login to FortiSIEM.
    2. Go to RESOURCE > Malware Domain > ThreatConnect Malware Domain.
    3. Click More > Update. Select Update via API.
    4. Enter the following fields
      1. Set User Name to Access ID (Step 3a above).
      2. Set Password to Secret Key (Step 3b above).
      3. Set Data Format to STIX-TAXII.
      4. For Collection:, you have two choices:
      • To get all threatfeeds - enter All:<Organization Name> (Step 4 above), or
      • To get specific threatfeeds, enter comma-separated values of threatfeeds (obtained from Step 6 above).
    5. Set Data Update = Incremental
  • Click Save.
  • Click Schedule to specify how often the threat feed will be updated.
    1. Choose Start time.
    2. Choose Recurrence pattern.
    3. Click Save.
  • Wait until the first scheduled download occurs. Then, navigate to RESOURCE > Malware Domain > ThreatConnect Malware Domain. Downloaded Malware domains will be displayed in the right-hand table. You can use this object in rules and reports to detect hits.
  • Downloading Other IOCs

    The steps for configuring FortiSIEM to download other IOCs are identical, except for the following details:

    • Malware IP—Navigate to RESOURCE > Malware Domain > ThreatConnect Malware IP
    • Malware URL—Navigate to RESOURCE > Malware Domain > ThreatConnect Malware URL
    • Malware Hash—Navigate to RESOURCE > Malware Domain > ThreatConnect Malware Hash