MISP Integration Documentation
MISP Integration Documentation
FortiSIEM
Integrating with MISP
Importing Threat Intelligence IOC from MISP into the
FortiSIEM CMDB.
US ATP Team
March 2020
Introduction
FortiSIEM is advanced Security Information Event Management system which incorporates an event database (proprietary NoSQL
or elastic search database) with a CMDB postgreSQL database. Both databases are utilized in terms of analytics
(search/reporting/dashboarding) and event correlation, with the CMDB categorizing nearly 200,000 unique multi-vendor events
into functional correlation categories.
MISP (Malware Information Sharing Project) is an Open Source Threat Intelligence Platform and a community-driven project
- www.misp-project.org. What MISP provides amongst many things is an IOC and indicators database allowing users to store
technical and non-technical information about malware samples, incidents, attackers and intelligence.
The purpose of this FortiSIEM integration is to currently query MISP and produce a list of indicators to populate into the FortiSIEM
CMDB threat related containers.
Disclaimer
When mentioned in this document and this document only, the following terms and definitions will apply:
• This document and provided script are provided as is, and may not be 100% accurate use caution.
• The script is designated as an internal/PoV usage script and hence is designed without error checking or resource
restraints and hence should only be used on a test/PoV system only.
• TAC is not expected to support this script.
• Usage of this script is at your own risk.
• Any questions should be posted via FUSE or FNDN or directly to [email protected]
2
ADVANCED KNOWLEDGE GUIDE – Integrating with MISP
Usage
In addition to this document a file name fsmMISPIntegration.zip should also have also been provided.
Create a new directory for this program under the /root directory for example MISP on your FortiSIEM test environment and then
copy this file via WinSCP/Cyberduck or favourite secure copy program to this directory, where it should be unzipped and then
executed.
For example, this process can be obtained via the commands below.
mkdir MISP
cd MISP
unzip fsmMISPIntegration.zip
chmod +x fsmMISP.sh
{
"request": {
"type": "url",
"category": "Network activity",
"last": "1d",
"enforceWarninglist": "True"
}
}
The type in this case is url for the last 1 day. These files are customizable, for example the time can be set to 5d or 12h or 30m etc.
3
ADVANCED KNOWLEDGE GUIDE – Integrating with MISP
mkdir /var/www/html/ioc
This is the location that the fsmMISP script will dump its CSV files ready for import.
Within the FortiSIEM Resources Tab under the various Threat Intel categories, create a folder for the MISP data.
For example, the following folders could be created: (names are not important)
Execute the MISP script from the extracted directory via one of the two methods below.
./fsmMISP.sh <options>
Or
./fsmMISP.sh
The <options> above are one or more comma separated entries as per the table below.
Once the script completes the output (CSV files) are created under the /var/www/html/ioc folder.
4
ADVANCED KNOWLEDGE GUIDE – Integrating with MISP
Option Description
NULL (ie: no option specified) ALL MISP Queries above are performed
Examples
# Collect MISP md5, ip and urls
./fsmMISP.sh md5,ip,url
The script can be scheduled to run every so often via a cron job on the FortiSIEM backend.
Once the CSV files are ready, they can be imported (and scheduled if required) via the GUI under the Resources Tab.
Malware IP
Navigate and then select to the custom MISP IP folder previously created, then select More -> Update.
Choose the option to Update via API and then click the pencil option and populate the URL as http://127.0.0.1/ioc/misp_ip.csv
Notice here the Data Update options for Full or Incremental updates.
For the Data Mapping for the CSV file, define the following:
5
ADVANCED KNOWLEDGE GUIDE – Integrating with MISP
Then click the plus icon against schedule and set a time / recurrence pattern as necessary and then click Save and Done when
completed.
Once the schedule is met, then the MISP IPs should be imported as below:
Malware Domain
For the MISP Domains, select the custom folder created earlier and again set to update via API, and this time use the following
URL and Mappings and schedule as necessary.
URL: http://127.0.0.1/ioc/misp_domain.csv
6
ADVANCED KNOWLEDGE GUIDE – Integrating with MISP
Once the schedule is met, then the MISP Domains should be imported as below:
Malware Hashes
For the MISP MD5, SHA1,SHA256 or the aggregated Hashes option (all formats together), select the custom folder or folders
created earlier and again set to update via API, and this time use the following URL and Mappings and schedule as necessary.
Obviously, you only need to define the entries that you need.
Mappings are the same for each type, and MD5 is shown below as an example:
Once the schedule is met, the MISP MD5 should be imported as below:
7
ADVANCED KNOWLEDGE GUIDE – Integrating with MISP
Malware URL
For the MISP URLs, select the custom folder created earlier and again set to update via API, and this time use the following URL
and Mappings and schedule as necessary.
URL: http://127.0.0.1/ioc/misp_url.csv
Once the schedule is met, then the MISP URLs should be imported as below:
This records the results of the last time the script was run.
B) Syslog to FortiSIEM
The script will send syslog messages to the IP address of your FortiSIEM.
A parser (misp_parser.xml) is in the directory where the script was extracted, which can be deployed. (The parser test
message is within the parser).
8
ADVANCED KNOWLEDGE GUIDE – Integrating with MISP