Fortinet Integration

RST Cloud can be used in various scenarios with Fortinet solutions.

To perform real-time threat detection, RST Threat Feed can be utilised by FortiSIEM to conduct threat intelligence (TI) match searches in the logs, flagging malicious activities. FortiSIEM can collect information from RST Cloud using STIX/TAXII or via a special CSV API endpoint.

FortiGate firewalls can also utilise RST Threat Feed to block attacks using high-confidence indicators from RST Cloud. This functionality is integrated into different modules within FortiGate; network threats can be blocked using IP, domain, and URL indicators, and files downloaded from the internet can be checked against file hashes provided by RST Cloud.

FortiSOAR can utilise RST IoC Lookup, RST Noise Control, and RST Whois API to enrich incidents with information about known bad and known good IPs, domains, URLs, and hashes. Additionally, it can provide additional context, such as the age of a domain, in phishing investigations.

FortiSIEM

About this integration

RST Threat Feed provides comprehensive coverage across various threat categories, including Phishing, Web Attacks, Command and Control servers, Botnets, Malware, and more. Our feed encompasses key indicators such as IP addresses, domains, URLs, MD5, SHA1, and SHA256 hashes, ensuring a wide-ranging defence against evolving threats.

We aggregate threat intelligence data from diverse sources, including private and open-source feeds, in-house systems, public online sandboxes, and RST Cloud's honeypot network. This extensive data collection ensures a robust and dynamic threat intelligence repository.

FortiSIEM users can leverage this wealth of information for real-time threat detection, investigation, and proactive hunting. By integrating RST Threat Feed, FortiSIEM becomes a powerful ally in the constant battle against cyber threats, offering users the ability to stay ahead of the curve and secure their digital environments effectively.

FortiSIEM documentation: https://docs.fortinet.com/document/fortisiem/7.1.2/external-systems-configuration-guide/82472/threat-intelligence

 

Configuration Steps

To connect RST Threat Feed into FortiSIEM you need to:

  1. Create dedicated groups for IP, Domain, and URL: RST Malware IP, RST Malware Domain, RST Malware URL. You can create more specific groups such as RST High-Confidence Phishing URLs by setting a score threshold and selecting from available categories.

  1. Then create dedicated Update task: More – Update:

  1. Choose Update via API option in a task properties and fill in the fields:
    • Data Format: CSV/STIX-TAXII

  • We recommend to use STIX-TAXII data format:
  • For STIX:
    • URL: https://taxii.rstcloud.net/stix/taxii2/root/<Collection ID>

      * For your specific Collection ID please contact us

    • User Name: your account name

    • Password: your password

    • Plugin class: com.accelops.service.threatfeed.impl.StixMalwareIPUpdateService and Full.

    • Data Format: STIX-TAXII

    • Data Update:
      Incremental, or Full.

  • For CSV:
    • URL: 
      • https://fortisiem-threat-feed.rstcloud.net/ip/<score> - for IP
      • https://fortisiem-threat-feed.rstcloud.net/domain/<score> - for Domain
      • https://fortisiem-threat-feed.rstcloud.net/url/<score>- for URL
      • https://fortisiem-threat-feed.rstcloud.net/hash/<score>- for Hash
    • We recommend to use Score filter in the URL. For dangerous IOCs it is approximately 50-60 and higher scores, for informative ones it is score less than 30-40. In the middle is suspicious indicators. Each indicator has an individual score calculated based on its actuality and risk: what type of indicator it is, who is the reporter of the indicators, how many others are already aware of that indicator, was that indicator exposed previously and many other contributing factors.
      The higher the indicator score, the lower their false-positive rate. In general, prioritize indicators with a score of 20 or higher. However, lower-scoring indicators may be useful for retrospective analysis.So you can choose to download indicators with score from 40 for example.

    • User Name: your account name

    • Password: your password

    • Plugin class: com.accelops.service.threatfeed.impl.ThreatFeedWithMappingPolicyService

    • Field separator: “,”

    • Data Format: CSV
    • Data Update:
      Incremental, or Full.

 

Options: Then you have to map fields from the RST Threat Feed with FortiSIEM fields like in the above tables. RST Threat Feed contains more than listed fields but FortiSIEM is technically limited with this list now.

Congratulations! You have successfully configured the RST Threat Feed in FortiSIEM. You can now leverage the threat intelligence data in your security operations.

IP fields mapping

Mapped Field Position
1
2
3
4
5
6
7
8
9

 

Domain fields mapping

Mapped Field Position
1
2
3
4
5
6
7

 

URL fields mapping

Mapped Field Position
1
2
3
4
5

 

IP fields mapping

Mapped Field Position
1
2
3
4
5
6
7
8
9

FortiGate

About this integration

RST Cloud enhanced integration with FortiGate products that dynamically import external block lists, allowing devices to tap into the collective intelligence of the global cyber community and researchers who contribute their findings to the community. This enables RST Cloud and Fortinet clients to ensure that the most dangerous and actual threats are stopped at the network’s perimeter.

RST Cloud offers a number of APIs that can be used to interface with a range of enterprise products. The FortiGate integration model leverages a specially build API that is less versatile than the main API, but is essential to assure device compatibility. In a nutshell, the API interaction is a TLS-encrypted HTTP GET request with login/password access:

GET https://[username]:[password]@fortigate-threat-feed.rstcloud.net/[indicator_type]/[score]/[category]

indicator_type (mandatory): ip, domain, url, md5, sha1, sha256

score (mandatory): from 0 to 100

category (optional, requires score to be specified): generic, scan, spam, badssl, shellprobe, badbot, phishing, webattack, c2, tor_exit, malware, botnet, tor_node, ddos, cryptomining, fraud, spyware, keylogger, backdoor, trojan, dropper, rat, rootkit, ransomware, stealer, scam, vpn, dns, proxy

An administrator can take advantage of the feed’s capabilities in two ways.

First and foremost, use the scoring modelling results to block only “high” score indicators. If you don’t pick a category, we recommend treating IoCs with a score less than 45 as informational, between 45 and 55 as suspicious, and IP addresses with a score bigger than 55 as malicious. Those score thresholds differ depending on the type of IoC. A good starting point for blocking utilising external domain lists is a score of 35. The query’s versatility allows administrators to choose which types of indicators they require and to find a score that best meets their needs. RST Cloud customers tend to set a score threshold higher for IP addresses, but it might be a lower value of the score used to classify an IoC as risky for Domain/URL types and especially hashes.

Second, indicator categories can be used to create custom lists to block ransomware or phishing-related connections, with the option of lowering the score for those categories and expanding the coverage.

Configuration Steps

IoC types: IP, Hostname, URL

External Block List is the feature that FortiGate uses to integrate with external sources of threat intelligence. This used to pull a list of indicators from a remote server and import them into a device. You can use External Block List (Threat Feed) for web filtering and DNS, or in firewall policies. Policy support for external IP list used as source/destination address.

A FortiOS can be configured to import indicators from RST Cloud based on two following criteria: score (from 0 to 100) and category (malware, c2, phishing, etc.)

Sample configuration for IP list will be:

In Security Fabric > Fabric Connectors > Threat Feeds > IP Address, create or edit an external IP list object.

For the URI you should use:

GET https://fortigate-threat-feed.rstcloud.net/[indicator_type]/[score]/[category]

Examples:

https://fortigate-threat-feed.rstcloud.net/IP/55

https://fortigate-threat-feed.rstcloud.net/IP/45/phishing

Then you turn on HTTP basic authentication and fill in the User and Password fields.

To create an external iplist object using the CLI:

config system external-resource

edit “RST_Threat_Feed_IP_30_malware”

set status enable

set type address

set username ‘[username]’

set password [password]

set comments ‘fetches indicators with score more than 30 categorized as malware’

set resource “https://fortigate-threat-feed.rstcloud.net/ip/30/malware"

set refresh-rate 1440

next

end

MD5/SHA1/SHA256 Hashes

You can use FortiGate’s Virus Outbreak Prevention engine with RST Threat Feed hash indicators. To configure Malware Hash:

  1. Navigate to Security Fabric > Fabric Connectors and click Create New.
  2. In the Threat Feeds section, click Malware Hash.

The Malware Hash source objects are displayed.

We are a unique feed to support all three hash types (md5, sha1, and sha256) and we enrich each indicator with the missing hash (if it is available) through searching on additional sources, thus normalizing one malware to one indicator with all 3 hashes. As a result, practically most of the indicators have fields for all types of hash functions (all available at the time the indicator is found). But if you want a better security level, you can add all 3 types of hashes to your NGFW policy.

To configure Malware Hash, fill in the Connector Settings section.

Example URI:

https://fortigate-threat-feed.rstcloud.net/md5/5/malware

Then you turn on HTTP basic authentication and fill in the User and Password fields.

To configure New Malware value for external-resource parameter in CLI:

FGT_PROXY (external-resource) # edit rst_threat_feed_sha1_list

new entry ‘rst_threat_feed_sha1_list’ added

FGT_PROXY (rst_threat_feed_sha1_list) # set type ?

category FortiGuard category.

address Firewall IP address.

domain Domain Name.

malware Malware hash.

To configure external Malware Hash list sources in CLI:

config global

config system external-resource

edit “rst_threat_feed_md5_list”

set type malware

set comments “List of md5 hashes only”

set resource “https://fortigate-threat-feed.rstcloud.net/md5/5/malware"

set refresh-rate 30

next

edit “rst_threat_feed_sha1_list”

set type malware

set comments “List of sha1 hashes only”

set resource “https://fortigate-threat-feed.rstcloud.net/sha1/5/malware"

set refresh-rate 30

next

edit “rst_threat_feed_sha256_list”

set type malware

set comments “List of sha256 hashes only”

set resource “https://fortigate-threat-feed.rstcloud.net/sha256/5/malware"

set refresh-rate 30

next

end

end

Then you can update your AntiVirus Profile with the use of External Malware Block List.