Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.5.1 External Systems Configuration Guide
    6.5.1
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    ThreatConnect

    ThreatConnect

    What is Discovered and Monitored

    Protocol Information Collected Used For
    ThreatConnect API Malware Domain, IP, URL and Hash Detect threats for Security and Compliance

    Configuring ThreatConnect

    Create an API Key to be used for FortiSIEM communication.

    The details are here:

    https://kb.threatconnect.com/customer/en/portal/articles/2188549-creating-user-accounts

    1. Log in to your ThreatConnect portal as an administrative user.
    2. Go to My Profile > ORG Settings.
    3. Click Create API User.

      These credentials will be created:

      • Access ID
      • Secret Key
    4. Note the Organization Name. You will need it in a later step.
    5. ThreatConnect contains many threat feeds. If you want to get specific threatfeeds, then you must know the threat feeds that are available for your account. You can see these feeds by navigating to Browse > Indicators > My ThreatConnect > Intelligent Sources.

    Configuring FortiSIEM to Download IOCs from ThreatConnect

    Use the Access ID and Secret Key that were created in the previous section to enable FortiSIEM access.

    FortiSIEM can provide the following IOCs from ThreatConnect:

    • Malware Domain
    • Malware IP
    • Malware URL
    • Malware Hash

    Follow these steps to set up Malware Domain downloads from ThreatConnect.

    1. Login to FortiSIEM.
    2. Go to RESOURCES > Malware Domain > ThreatConnect Malware Domain.
    3. Click More > Update. Select Update via API.
    4. Enter the following fields
      1. Set User Name to Access ID (Step 3a above).
      2. Set Password to Secret Key (Step 3b above).
      3. Set Data Format to STIX-TAXII.
      4. For Collection:, you have two choices:
      • To get all threatfeeds - enter All:<Organization Name> (Step 4 above), or
      • To get specific threatfeeds, enter comma-separated values of threatfeeds (obtained from Step 6 above).
    5. Set Data Update = Incremental
  • Click Save.
  • Click Schedule to specify how often the threat feed will be updated.
    1. Choose Start time.
    2. Choose Recurrence pattern.
    3. Click Save.
  • Wait until the first scheduled download occurs. Then, navigate to RESOURCES > Malware Domain > ThreatConnect Malware Domain. Downloaded Malware domains will be displayed in the right-hand table. You can use this object in rules and reports to detect hits.

    • Downloading Other IOCs

    The steps for configuring FortiSIEM to download other IOCs are identical, except for the following details:

    • Malware IP—Navigate to RESOURCES > Malware Domain > ThreatConnect Malware IP
    • Malware URL—Navigate to RESOURCES > Malware Domain > ThreatConnect Malware URL
    • Malware Hash—Navigate to RESOURCES > Malware Domain > ThreatConnect Malware Hash
    Previous
    Next

    ThreatConnect

    ThreatConnect

    What is Discovered and Monitored

    Protocol Information Collected Used For
    ThreatConnect API Malware Domain, IP, URL and Hash Detect threats for Security and Compliance

    Configuring ThreatConnect

    Create an API Key to be used for FortiSIEM communication.

    The details are here:

    https://kb.threatconnect.com/customer/en/portal/articles/2188549-creating-user-accounts

    1. Log in to your ThreatConnect portal as an administrative user.
    2. Go to My Profile > ORG Settings.
    3. Click Create API User.

      These credentials will be created:

      • Access ID
      • Secret Key
    4. Note the Organization Name. You will need it in a later step.
    5. ThreatConnect contains many threat feeds. If you want to get specific threatfeeds, then you must know the threat feeds that are available for your account. You can see these feeds by navigating to Browse > Indicators > My ThreatConnect > Intelligent Sources.

    Configuring FortiSIEM to Download IOCs from ThreatConnect

    Use the Access ID and Secret Key that were created in the previous section to enable FortiSIEM access.

    FortiSIEM can provide the following IOCs from ThreatConnect:

    • Malware Domain
    • Malware IP
    • Malware URL
    • Malware Hash

    Follow these steps to set up Malware Domain downloads from ThreatConnect.

    1. Login to FortiSIEM.
    2. Go to RESOURCES > Malware Domain > ThreatConnect Malware Domain.
    3. Click More > Update. Select Update via API.
    4. Enter the following fields
      1. Set User Name to Access ID (Step 3a above).
      2. Set Password to Secret Key (Step 3b above).
      3. Set Data Format to STIX-TAXII.
      4. For Collection:, you have two choices:
      • To get all threatfeeds - enter All:<Organization Name> (Step 4 above), or
      • To get specific threatfeeds, enter comma-separated values of threatfeeds (obtained from Step 6 above).
    5. Set Data Update = Incremental
  • Click Save.
  • Click Schedule to specify how often the threat feed will be updated.
    1. Choose Start time.
    2. Choose Recurrence pattern.
    3. Click Save.
  • Wait until the first scheduled download occurs. Then, navigate to RESOURCES > Malware Domain > ThreatConnect Malware Domain. Downloaded Malware domains will be displayed in the right-hand table. You can use this object in rules and reports to detect hits.

    • Downloading Other IOCs

    The steps for configuring FortiSIEM to download other IOCs are identical, except for the following details:

    • Malware IP—Navigate to RESOURCES > Malware Domain > ThreatConnect Malware IP
    • Malware URL—Navigate to RESOURCES > Malware Domain > ThreatConnect Malware URL
    • Malware Hash—Navigate to RESOURCES > Malware Domain > ThreatConnect Malware Hash
    Previous
    Next