Malware Patrol offers five Enterprise feeds formatted for use with Palo Alto Networks NGFW (PAN-OS). Customers choose the feed(s) that meet their needs: 1) DNS-over-HTTPS (DoH) Servers: This feed gives security teams control over the use of DoH in their environment. DoH wraps DNS queries in an HTTPS request, which can disguise malicious traffic. Several malware families take advantage of this to use DoH for their C2 communications. 2) Malicious Domains: Prevent access to domains hosting malware, ransomware, phishing, cryptominers, and command and control servers (C2s) for over a hundred malware and ransomware families. Blocking C2 communication disrupts the attacker’s ability to execute malicious commands and navigate laterally within the network, essentially breaking the cyber kill chain. 3) Malicious IPs: Provides a first line of defense against threats for which signature-based indicators may not yet be available. The broad coverage of IPs may also extend protection to attacks from adversaries utilizing the same infrastructure. The feed includes IPs actively hosting malicious malware and ransomware files, phishing sites, as well as C2 servers. 4) Malware URLs: This feed contains URLs known to be hosting malware and ransomware binaries. By leveraging malicious URL feeds, security tools can block access to harmful links while still allowing legitimate services hosted on the same domain. This level of precision prevents the unnecessary blocking of popular and legitimate platforms, such as Dropbox or Google Drive, where malicious content is frequently hosted. 5) Scam Domains: Unlike other cyber threats that may rely on known patterns or malicious code, scams often leverage social engineering and psychological manipulation to deceive victims. That makes them hard to detect with conventional automated systems. This feed fills in the gaps for threat intellligence’s “gray area” with ScamAdviser’s extensive database covering online shopping, investment and crypto, identity theft, advance fees, employment, romance, subscriptions and other types of scams. Integrating external threat intelligence into your organization’s firewall is a crucial step in fortifying cybersecurity defenses. Organizations gain a more comprehensive and well-rounded view of emerging threats when they diversify their information sources. Different providers may have varying expertise and access to distinct threat data, offering a broader spectrum of insights. This multi-sourced approach enhances the firewall’s ability to detect and block a wider range of malicious activities, reducing the risk of missing critical threats. It’s a strategic move that ensures a more robust and adaptable security posture, minimizing the chances of falling victim to sophisticated cyberattacks. Malware Patrol offers free evaluations of our Enterprise feeds, including those for Palo Alto Networks NGFW (PAN-OS). Request your evaluation here.  

---

 

PAN-OS External Dynamic Lists

Additional threat intelligence sources are integrated into Palo Alto Networks NGFW’s PAN-OS as “External Dynamic Lists” or EDLs. According to the PAN-OS Administrator’s Guide: “An External Dynamic List is a text file that is hosted on an external web server so that the firewall can import objects—IP addresses, URLs, domains—included in the list and enforce policy. To enforce policy on the entries included in the external dynamic list, you must reference the list in a supported policy rule or profile. When multiple lists are referenced, you can prioritize the order of evaluation to make sure the most important EDLs are committed before capacity limits are reached. As you modify the list, the firewall dynamically imports the list at the configured interval and enforces policy without the need to make a configuration change or a commit on the firewall.” Users can add up to 30 EDLs. There are per-firewall model restrictions on the number of entries allowed for each of the following object types: 1) IP address and 2) URL & Domain. Check the above referenced administrator’s guide for more details.

Pre-Integration – External Source Certificate Profiles

When EDL sources, such as Malware Patrol, are secured with SSL, you will need a certificate profile in order to authenticate the server hosting your data feed(s). Both the root CA (certificate authority) and intermediate CA certificates are required. Per the Administrator’s Guide (link above), you should “use the same certificate profile to authenticate external dynamic lists from the same source URL. If you assign different certificate profiles to external dynamic lists from the same source URL, the firewall counts each list as a unique external dynamic list.” To get the certificates for Malware Patrol: 1) Navigate to https://malwarepatrol.net (We used the Firefox browser – instructions will vary for others.) 2) (Left) Click on the site security padlock icon 3) Select Connection Secure –> More Information.

  4) Click View Certificate.   5) In the certificate information dialog box that appears:

• Click on the Cloudflare Inc ECC CA-3 tab
• Right click the PEM (cert) link
• Select Save Link As and save as ‘root.pem’ to your computer
• Click on the Baltimore CyberTrust Root tab
• Right click the PEM (cert) link
• Select Save Link As and save as ‘intermediate.pem’ to your computer.

 

Add Certificate Profiles to PAN-OS

6) Log in to your Palo Alto Networks firewall interface. 7) Click on the Device tab 8) Expand Certificate Management on the left side menu and then select Certificate Profile 9) Click the +Add button at the bottom left of the screen to add a new certificate profile 10)  In the Certificate Profile dialog box:

• Name: Cloudflare
• Click the +Add button at the bottom left of the CA Certificates (yellow) section of the dialog box
• Select Import
• Certificate Name: ‘Cloudflare – Intermediate’
• Click Browse to find and select the ‘intermediate’ certificate saved on your computer
• Click OK to save.

  11) Repeat this process to add the second (root) certificate previously saved to your computer to the same Certificate Profile:

• Click the +Add button again at the bottom of the CA Certificates section to add the root certificate
• Select Import
• Certificate Name: ‘Cloudflare – Root’
• Click Browse to find the ‘root’ certificate saved on your computer
• Click OK to save.

    12) You will see both certificates listed in the Certificate Profile window. Click OK to exit.   13) Click Commit in the upper right hand corner to save your changes.   14) Once completed, a Commit Status dialog box will appear. Make sure the result is successful.

 

Add an IP EDL

15) From the Objects tab, select External Dynamic Lists on the left side menu. 16) Click the +Add button at the bottom left of the screen to add a new EDL. A dialog box will appear.   17) In the External Dynamic Lists dialog box:

• Name: Malware Patrol – Malicious IPs
• Type: IP List
• Source: Paste the link to the IP feed from your Malware Patrol customer or evaluation portal. Insert your username and password as follows for authentication purposes: https://USERNAME:PASSWORD@eval.malwarepatrol.net/feeds/files/FILENAME
• Certificate Profile: Cloudflare
• Repeat: Hourly
• Click OK to save.

  18) Click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

 

Apply a Security Policy to an IP EDL

19) From the Policies tab, select Security on the left side menu 20) Click the +Add button at the bottom left of the screen to add a new security policy   21) In the Security Policy Rule dialog box:

• Name: Malware Patrol – Malicious IPs
• Click Destination tab
• Destination Zone: Any
• Destination Address: External Dynamic List –> Malware Patrol – Malicious IPs
• Click Actions tab
• Action: Deny
• Click OK to save.

  22) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

 

Add a URL EDL

23) From the Objects tab, select External Dynamic Lists on the left side menu. 24) Click the +Add button at the bottom left of the screen to add a new EDL. A dialog box will appear.   25) In the External Dynamic Lists dialog box:

• Name: Malware Patrol – Malicious URLs
• Type: URL List
• Source: Paste the link to the IP feed from your Malware Patrol customer or evaluation portal. Insert your username and password as follows for authentication purposes: https://USERNAME:PASSWORD@eval.malwarepatrol.net/feeds/files/FILENAME
• Certificate Profile: Cloudflare
• Repeat: Hourly
• Click OK to save.

  26) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

 

Apply a Security Policy to a URL EDL

27) From the Policies tab, select Security on the left side menu. 28) Click the +Add button at the bottom left of the screen to add a new security policy.   29) In the Security Policy Rule dialog box:

• Name: Malware Patrol – Malicious URLs
• Click Service/URL Caetgory tab
• Service: Application-Default
• URL Category: External Dynamic List –> Malware Patrol – Malicious URLs
• Click Actions tab
• Action: Deny
• Click OK to save.

  30) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

 

Add a Domain EDL

“An external dynamic list of type domain allows you to import custom domain names into the firewall to enforce policy using an Anti-Spyware profile or SD-WAN policy rule. An EDL in an Anti-Spyware profile is very useful if you subscribe to third-party threat intelligence feeds and want to protect your network from new sources of threat or malware as soon as you learn of a malicious domain.  […] You can also specify the firewall to include the subdomains of a specifed domain. […] When this setting is enabled, each domain in a given list requires an additional entry, effectively doubling the number of entries used by the list.”  PAN-OS Administrator’s Guide Malware Patrol offers three domain-based feeds for PAN-OS: Malicious Domains, Scam Domains, and DoH Servers.  31) From the Objects tab, select External Dynamic Lists on the left side menu. 32) Click the +Add button at the bottom left of the screen to add a new EDL. A dialog box will appear.   33) In the External Dynamic Lists dialog box:

• Name: Malware Patrol – Malicious Domains
• Type: Domain List
• Source: Paste the link to the IP feed from your Malware Patrol customer or evaluation portal. Insert your username and password as follows for authentication purposes: https://USERNAME:PASSWORD@eval.malwarepatrol.net/feeds/files/FILENAME
• Certificate Profile: Cloudflare
• Repeat: Hourly
• Click OK to save.
• Repeat this process to add Malware Patrol’s DNS-over-HTTPS Servers and Scam Domains feeds as EDLs.

  34) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

 

Apply a Security Policy to a Domain EDL

Note: This process is slightly different from adding a security policy to IP and URL EDLs.

Add Anti-Spyware Profile

35) From the Objects tab, select expand Security Profiles on the left side menu. Click Anti-Spyware. 36) Click the +Add button at the bottom left of the screen to add a new profile. A dialog box will appear.   37) In the Anti-Spyware Profile dialog box:

• Name: MalwarePatrolMaliciousDomains
• Select the DNS Signatures tab
• Click the +Add button at the bottom left of the External Dynamic List Domains section
• Select External Dynamic Lists > Malware Patrol – Malicious Domains from the dropdown list
• Repeat this process to add Malware Patrol – DOH Servers and/or Malware Patrol – Scam Domains
• Action on DNS Queries: Apply either Block or Sinkhole to the newly added feed(s), per your organization’s needs
• Click OK to save.

38) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

Add a Security Policy

39) From the Policies tab, select Security on the left side menu 40) Click the +Add button at the bottom left of the screen to add a new security policy 41) In the Security Policy Rule dialog box:

• Name: Malware Patrol – Malicious Domains (or Scam Domains or DoH Servers)
• Click Destination tab
• Destination Zone: Any
• Destination Address: Any
• Click Actions tab
• Profile Type: Profiles
• Anti-Spyware: Select MalwarePatrolMaliciousDomains
• Click OK to save.

42) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.   PAN-OS Reference Document Links:

• External Dynamic Lists
• General Configuration
• Security Policies
• View External Dynamic List Entries
• Exclude Entries from an External Dynamic List
• Use an External Dynamic List in a URL Filtering Profile

If you need any assistance with your Palo Alto NGFW integration with Malware Patrol’s data feeds, please email support ( @ ) malwarepatrol.net or contact your Account Manager.

Staying ahead of malicious actors is a constant challenge. As threats continue to increase in complexity and sophistication, organizations must adopt innovative approaches to safeguard their digital assets and sensitive information. One such approach is the use of threat intelligence derived from honeypots. These deception technology tools offer a unique and invaluable insight into the tactics, techniques, and procedures employed by cybercriminals, providing organizations with the upper hand in the ongoing battle against attackers.

The Value of Honeypots for Threat Intelligence

Honeypots are virtual or physical decoy systems designed to mimic legitimate services or applications. They can be strategically placed within an organization’s network to attract cyber attackers, diverting their attention away from actual critical assets. Another option, for research and threat intelligence gathering, is setting them up in distinct geographies via various service providers. No matter how they are deployed, the beauty of honeypots lies in their ability to capture and analyze timely data about incoming attacks without putting actual systems at risk. This data, often referred to as “honey data,” sheds light on emerging attack vectors.

1. Real-time Visibility into Attacks: Honeypots offer a front-row seat to ongoing cyber attacks. By emulating vulnerable systems and services, these traps attract a wide range of attackers attempting to exploit perceived weaknesses. The interactions between attackers and honeypots yield a wealth of information about attack methodologies, malware variants, and even potential zero-day vulnerabilities. This instant visibility enables security teams to detect and respond to threats swiftly, reducing the window of exposure and potential damage.

2. Understanding Attack Tactics: Through honeypots, organizations gain an intricate understanding of the tactics, techniques, and procedures (TTPs) employed by threat actors. Analyzing the behavior of attackers within the controlled environment of honeypots unveils their strategies, tools, and evasion techniques. This knowledge is crucial for anticipating future attacks and enhancing cybersecurity measures.

3. Prioritization and Resource Allocation: With the data derived from honeypots, organizations can effectively prioritize their cybersecurity efforts. By identifying the most prevalent attack vectors and targeting vulnerable systems, security teams can allocate resources where they are needed most. This strategic approach ensures that cybersecurity investments are optimized to mitigate the highest risks, leading to a more resilient defense posture.

Types of Honeypot Attacks

There are many different kinds of honeypots. They range from low interaction to high interaction, and can mimic just about anything: IOT devices, SSH, WordPress, databases, ICS, and APIs, to name a few. By emulating vulnerable systems, services, and applications, honeypots attract attackers and capture their activities in a controlled environment. Here are some of the key types of attacks that honeypots can effectively detect (depending on their functionality):

1. Break-In Attempts: Honeypots are adept at capturing break-in attempts, where attackers try to gain unauthorized access to systems or networks. By mimicking enticing entry points, such as open ports or weakly protected services, honeypots can lure attackers and record their attempts to exploit vulnerabilities.
2. Malware Propagation: Honeypots can also detect attempts to spread malware across networks. Attackers often use compromised systems as launchpads for distributing malware to other targets. Honeypots, acting as seemingly vulnerable hosts, attract malware propagation attempts and allow researchers to analyze the behavior and characteristics of the malicious code.
3. Port Scanning and Reconnaissance: Cybercriminals often perform port scanning to identify potential entry points into a network. Honeypots, configured with various open ports and services, can capture these scanning activities. The data collected provides insights into the attacker’s scanning techniques and the extent of their reconnaissance efforts.
4. Credential Theft and Brute Force Attacks: Honeypots can mimic login pages and services to attract attackers attempting to steal credentials through phishing or brute force attacks. By capturing these login attempts, organizations can gain insights into the attackers’ methods and strategies for credential theft.
5. Botnet Activities: Honeypots can act as alluring targets for botnets seeking to recruit new compromised hosts. By engaging with these botnets, researchers can gain insights into command and control mechanisms, as well as the scale and distribution of the botnet infrastructure.
6. Distributed Denial of Service (DDoS) Reconnaissance: Attackers often conduct reconnaissance to identify potential targets for DDoS attacks. Honeypots can capture these reconnaissance activities, shedding light on the attacker’s infrastructure and the potential targets they are assessing.
7. Exploitation of Vulnerabilities: Honeypots can replicate systems with known vulnerabilities, inviting attackers to exploit these weaknesses. This allows security teams to analyze the techniques used by attackers to compromise systems and the specific vulnerabilities they target.
8. Insider Threat Detection: Honeypots can also be used to detect insider threats, where authorized individuals misuse their privileges to compromise systems or steal sensitive data. By tracking unusual activities within the controlled environment of a honeypot, organizations can identify potential insider threats.
9. Zero-Day Exploits: Honeypots can be configured to mimic specific software versions and configurations that may be vulnerable to zero-day exploits. Detecting attackers attempting to exploit unknown vulnerabilities provides crucial insights into emerging threats.
10. Command and Control (C2) Communications: Honeypots can capture communications between compromised systems and command and control servers. This helps researchers understand the communication protocols, techniques, and infrastructure used by attackers to control compromised hosts.

Introducing Malware Patrol’s Intrusion Insights Feed

Our latest offering, Intrusion Insights Data Feed, is derived from honeypots strategically deployed across the globe. Until now, our decade-old honeynet has been used for internal purposes only. We are thrilled to finally be sharing this information with our customers. The JSON-formatted data feed, updated every 15 minutes and spanning the last 36 hours of activity, provides a treasure trove of insights into live, ongoing attacks against cyber infrastructure.

Conclusion

At Malware Patrol, we believe that some of cyber security’s most mature and commonly used tools still offer high ROI and impacts well beyond those of their contemporary, super-hyped counterparts. Honeypots, aka “deception technology,” are a dependable classic. The basics are always in style around here!

With their ability to attract, capture, and analyze attacks, honeypots provide a unique and incomparable vantage point into the strategies employed by malicious actors. Embrace the power of deception-derived threat intelligence and request a free evaluation of our Intrusion Insights feed today.

Everyone in our line of business wants to be considered the best threat intelligence vendor. The task of gathering and producing top-notch cyber threat intelligence (CTI) is harder than you might think, however. Here are a few reasons why:

(1) It’s literally impossible to gather information about every threat, so, CTI vendors have to accept a suspense-ridden level of imperfection. All this while knowing that it takes only one incident to cause great damage to our customers.

(2) The proper – or at least, consistent – attribution and categorization of threats is a mindblowingly-tedious-bordering-on-futile task. (Have you seen how many aliases there are for the Lazarus Group?) But without some attempt of doing so, crucial context, like TTPs, is lost.

(3) Known, active indicators number in the many millions. And threat actors constantly swap out their infrastructure. Keeping this amount of data current and false positive-free is a never-ending job that requires a delicate balance of automation and human quality control.

As for #1, we vendors can only strive to do our best – and avoid false advertising, because no one likes a liar. The second item on this list requires a MacGyver-like skillset, a super knowledgeable cybersecurity team, and a LOT of lookup tables. Number three, while challenging, is an area where threat intelligence vendors can have some control and differentiate themselves.

For example, at Malware Patrol, our systems visit each indicator at least once per day to verify its status. Inactive = Bye-Bye. And as a rule, we have never included publicly available data in our feeds unless it can be verified by our own proprietary systems. This significantly limits our data sources, but as far as we’re concerned, a random list of malicious IPs is just that. Without confirmation, there is no confidence. The result of stubbornly applying our “quality over quantity” mantra to all we do?: Malware Patrol’s collection of actionable, high-confidence threat intelligence feeds.

 

Quality over Quantity or It’s a Numbers Game?

Here’s where we are going to contradict ourselves, a little. Or maybe it’s more of a tangent.

Even though our team works hard to make Malware Patrol one of the best threat intelligence vendors out there, we have been repeatedly forced to concede that cyber criminals are as determined, resourceful, and intelligent as we are. New campaigns, threat actors, and TTPs are disclosed daily. Each advance on our side is met with one on theirs. It is the ultimate Olympic table tennis match.

The “constantly changing threat landscape” reality forces cybersecurity companies to re-evaluate, innovate, and evolve our offerings probably more frequently than in any other industry. Malware Patrol is no exception.

During a recent brainstorming session, our team decided to “play the numbers game” in order to increase our threat coverage. To accomplish this without risking the quality of our data, we added a separate open source intelligence offering, described below. Our reasoning was that there is really no match for the breadth and timeliness of data gathered and shared by a global community. With some caveats, of course! Keep reading.

 

OSINT: You (Don’t) Get What You (Don’t) Pay For

There are several undeniable benefits of using OSINT. It can help to improve the completeness and speed of threat intelligence. This is particularly important in the case of rapidly evolving threats, where timely intelligence can be critical. By leveraging the knowledge and work of many people, OSINT can help to fill in gaps and provide insights that would otherwise be unavailable.

However, there are some major challenges that come with using open source intelligence. The most obvious of these is the vast amount of data available. It can be mission impossible to sift through so much information, i.e., looking for a needle in a haystack. And who has time for that these days?

And when OSINT collectors are not looking for specific pieces of information or indicators, but rather trying to gain general insights into a particular topic or issue, the data set is potentially even bigger and without a doubt more complex to analyze. It requires being able to quickly scan large amounts of data and identify patterns or trends.

As we have previously mentioned, it is difficult to find reliable sources of information and OSINT is no exception. Because anyone can contribute to an open source, the quality of the information can vary greatly. There is no guarantee of accuracy and no support.

It can also be difficult to access the information contained within some OSINT sources. Often, the data is stored behind paywalls or requires special login credentials. Additionally, some types of data (such as video or audio) may not be easily accessible without specialized software or hardware.

As a cybersecurity professional, it is your job to protect your organization using your team’s technical abilities paired with your finite financial resources. As such, it behooves you to thoroughly evaluate everything used in your cybersecurity efforts, from outsourced services to tools and OSINT.

You may have guessed this next part already: paid threat intelligence services help eliminate these challenges. We specialize in and dedicate resources to the challenges listed above. That makes them our problems, not yours. Put simply, it is our job to “make” CTI and try to be the best threat intelligence vendor.

 

Open Source Intelligence (OSINT) the Malware Patrol Way

So, now it is time to (re)introduce our three new OSINT-based data feeds. They contain curated data derived from our geographically diverse network of honeypots as well as trusted third-party sources. And to be clear, these feeds will remain SEPARATE from our commercial data feeds.

• High Risk IPs: Addresses involved in a range of malicious activities, such as spam, break-in attempts, malware distribution, botnets, and command-and-control communications.
• Risk Indicators: A variety of threat related IoCs, including: MD5, SHA1, and SHA256 hashes, email addresses, cryptocurrency addresses, and CVEs.
• Tor Exit Nodes: Addresses of active Tor exit nodes as reported by the Tor Project. Frequently involved in malicious activities, it is advisable to monitor, if not block, traffic from these IPs.

Here’s how we are doing OSINT the Malware Patrol way:

• We enrich the feeds with decision-enhancing context that may include the associated malware family, threat actor, article links, and any other available metadata.
• Entries are removed at regular intervals to make sure the data stays fresh.
• Our team manages the data quality and sources closely.

Register for Malware Patrol’s OSINT feeds here.

 

Conclusion

To bring this all to a conclusion, we believe that being the best threat intelligence vendor does not simply mean having more indicators than the competition. Instead, an organization that provides an honest, accurate assessment of their data’s coverage upfront is less likely to over promise and under deliver. A laser focus on the quality of their threat intelligence is also crucial.

When combined with the willingness (and ability!) to constantly and creatively adapt, the likelihood is much higher that the provider can be a real partner in your organization’s cybersecurity efforts. Using OSINT or other less traditional collection methods to improve threat coverage is just one example of the kind of dynamic, adaptable threat intelligence vendor you should look for in sea of options now available in our industry’s market.

Sharing is Caring

To our industry’s credit, there are many good OSINT feeds and data sharing platforms. Even better, they are relatively easy to find. A simple Google search for open source intelligence (OSINT) threat feeds or open source cybersecurity tools will yield many, many results. This is really a testament to the goodwill and collaborative spirit of the cybersecurity community.

Some examples of data sharing options include DHS CISA AIS, AlienVault OTX, and Abuse.ch, just to name a few. High quality open source security tools (TIP, SIEM, SOAR), such as MISP, are also readily available to help your organization utilize intelligence of all kinds.

Avoid Analysis Paralysis

As usual, there is a however to this good news: the number of available resources can be overwhelming. When faced with so many options, it can be difficult, or time consuming at the very least, to select, evaluate, and implement free intelligence and tools in your organization. Without some parameters or pre-defined goals, your research efforts may fall short.

If you are about to embark on this journey, we would like to offer a few suggestions about how to structure and organize your OSINT search process:

1) Determine your organization’s intelligence needs and priorities.

• • Review current goals or roadmaps related to threat intelligence to clarify and prioritize your needs.
  • Ask your security team – and other relevant stakeholders – for their input:
    • What are your data gaps? For example, what caused your last incident, and could it have been prevented with some additional type of data?
    • Do you know the tactics, techniques and procedures (TTPs) of threat actors targeting your organization’s industry and could OSINT help prepare for these specific kinds of attacks?
    • Is there a paid intelligence resource or tool you are unable to afford but really want? Maybe it is worth looking for a free/open source alternative?
    • Also consider other topics specific to your organization, industry, security environment, geopolitical events, and so on

2) Research and compile a list of potential sources.

• • Use one of the industry’s go-to OSINT resources as a starting point.
  • Ask around – nothing beats a firsthand recommendation.
  • Search for curated lists of OSINT feeds/sources. (Be mindful of the age and potential bias of the information source.) We found these helpful articles during our research: SOCRadar, Spiderfoot, Sunny Valley Networks and SENKI. GitHub rarely disappoints.

3) Evaluate and rate the sources for final decision making.

• • Criteria to consider:
    • Data quality – Are you familiar with the organization that generates it? Or how a crowd-sourced data community is managed, members vetted? Is the data rated or otherwise confirmed by group members in some way? How is it aged?
    • Update frequency (if applicable) – Hourly, Daily, Monthly, Other?
    • Coverage – Geography? Market vertical?
    • Aggregation/Efficiency – Does the provider aggregate multiple sources into one?
    • Ease of integration/retrieval – Do your tools ingest data in the formats provided? Can collection be easily automated or otherwise added to your team’s tasks without being burdensome?
    • Context – Does the data include context on the incident or campaign?
    • Licensing – Does it allow for your intended use of the data? Open source does not automatically mean the data can be used freely for commercial purposes.
  • Check for overlap with your current resources to prevent overloading your tools with repetitious data. For example, MISP has a Feed overlap analysis matrix. Other tools offer similar functionality.
  • Consider the reputation of the provider and any other applicable factors from your research to determine the confidence level you feel comfortable applying to the data:
    • High confidence – Decisions and alerts will be based on this data source
    • Medium confidence – Indicator must be confirmed by another source before acted upon
    • Low or N/A confidence – Not used for alerts or blocking, but useful for research and as a confirmation of an indicator’s maliciousness
  • Use all the above information to make a final list. Review and decide.

4) Decide which tool(s) and/or process(es) will use the OSINT feed or unstructured data and for what purpose. (Use details from step 1 to help with this.)

• • Integrate the threat data into your security tool(s) and processes. Set up automatic downloads and/or assign manual tasks.
  • Update documentation/SOPs to include your new resources.
  • Inform security teams and provide any necessary training on how to use/interpret the data.
  • Schedule a review (30, 60, 90 days) to evaluate the usefulness and quality of the data.
  • Wash, rinse, repeat to keep expanding your OSINT at regular intervals.

OSINT Feeds from Malware Patrol

If acquiring open source intelligence is a goal for your organization, we invite you to check out Malware Patrol’s free OSINT feeds. The curated data is derived from our internal research well as trusted third-party sources.

• High Risk IPs: Addresses involved in a range of malicious activities, such as spam, malware distribution, botnets, and command-and-control communications.
• Risk Indicators: A variety of threat related IoCs, including: MD5, SHA1, and SHA256 hashes, email addresses, cryptocurrency addresses, and CVEs.
• Tor Exit Nodes: Addresses of active Tor exit nodes as reported by the Tor Project. Frequently involved in malicious activities, it is advisable to monitor, if not block, traffic from these IPs.

Here’s how Malware Patrol does OSINT:

• We enrich the feeds with decision-enhancing context such as the associated malware family, threat actor, article links, and any other available metadata.
• Entries are aged and removed at regular intervals to make sure the data stays fresh.
• Our team manages the data quality and sources closely.

To find out more about our OSINT feeds, visit our Enterprise page.

 

The MISP project is a free open source threat intelligence platform (TIP) that stores, analyzes, and shares information about malware.

It is co-financed by the European Union and a wide variety of organizations, including law enforcement agencies, private companies, and academic institutions, rely on MISP.

The platform has several features that make it an invaluable tool. For example, a searchable database of known malware samples allows organizations to find information on specific threats quickly. In addition, MISP includes a variety of other options such as a collection of OSINT feeds, API access, and integration with other security products.

Another reason why MISP is a crucial tool for malware researchers and security professionals is that it allows them to share information about new threats and samples quickly. This helps researchers keep up with the latest threats and allows them to work together to better understand and protect against new attacks.

MISP Threat Sharing Project Features

“Support” refers to the ability of a software or service to integrate with MISP. This is accomplished through an API or by using a MISP-compatible format. Many different types of industry software and services offer support. These include but are not limited to various SIEMs, TIPs, and incident response tools.

MISP modules are expansion modules that can be used to add new functionality to MISP. They are developed by the MISP community and are available for anyone to use. There are currently over 40 MISP modules available! They cover a wide range of topics, such as malware analysis, incident response, and threat intelligence. For example, the platform can use Splunk for log analysis or TheHive for incident response.

For customization purposes, MISP has flexible taxonomies for describing and tagging events. There is also support for exporting data in the MISP format or in STIX/MAEC formats, as well as an advanced correlation engine to identify relationships between indicators. Hierarchical tag inheritance is yet another feature.

To support its mission of enabling the sharing of information, the tool allows the creation of private groups for sensitive information. This is ideal for sharing information about new threats and vulnerabilities within a company so that everyone can be aware and take appropriate action.

pyMISP

The pyMISP project is an open-source toolbox written in Python 3 and serves as the official library for the MISP project. It is designed to support the MISP threat intelligence platform by providing a flexible and powerful platform for ingests, exports, queries, and analyses. The project is led by Alexandre Dulaunoy (@adulau), who is also the main developer of the MISP software.

pyMISP is released under the GNU Affero General Public License v3.0. The toolbox currently contains 19 different tools, each of which performs a specific function related to MISP.

Some of the more popular tools included in pyMISP are:

• Ingest: This tool allows you to ingest data from a variety of sources, including text files, JSON files, and even generic SQL databases. Export: This tool allows you to export data from MISP in a variety of formats, including CSV, XML, and HTML.
• Query: This tool allows you to perform simple queries against the data in MISP. For example, you can use this tool to search for all incidents that contain a specific IP address.
• Analysis: This tool allows you to perform various analyses on the data in MISP. For example, you can use this tool to generate a timeline of all events in MISP.

Training Options

There are many super thorough training videos on YouTube. The official options, linked below, are provided by the team at CIRCL (Computer Incident Response Center Luxembourg), the creators of the platform. A YouTube search will yield even more results for MISP training sessions and usage tips.

• MISP Training Module 1 – An Introduction to Cybersecurity Information Sharing
• MISP Training Module 2 – General usage of MISP
• MISP General Usage Training – Part 1 of 2
• MISP General Usage Training – Part 2 of 2

Conclusion

Overall, the MISP Threat Sharing project is a powerful and feature-rich threat intelligence platform. The API and impressively long list of current integrations and services make it a super flexible TIP/tool that any team should consider if they have a need for one.

Malware Patrol offers several feeds formatted for MISP, as well as the option to sync with our MISP servers. The feeds available include:

• Command & Control (C2) URLs
• Cryptojacking
• DGA Domains
• Malicious IPs
• Malware URLs
• DNS-over-HTTPS (DoH) Servers

You can request a free evaluation of our MISP services here. If you’re already a customer using MISP, we have a handy configuration guide available.

Over the past two weeks, we saw The CrowdStrike Falcon OverWatch threat hunting team has uncovered a new and highly sophisticated Internet Information Services (IIS) post-exploitation framework that CrowdStrike refers to as IceApple. Also, 254% increase in activity from a Linux trojan called XorDdos. First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its denial-of-service-related.

For more articles, check out our #onpatrol4malware blog.

Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis

Source: Malwarebytes Labs

The downloaded document is in fact decoy for a Remote Access Trojan (RAT) capable of stealing data and executing other malicious commands on a victim’s computer. Read more.

ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK

Source: CrowdStrike

A new and highly sophisticated Internet Information Services (IIS) post-exploitation framework that CrowdStrike refers to as IceApple. Read more.

Operation RestyLink: APT campaign targeting Japanese companies

Source: NTT

NTT SOC observed APT campaign targeting Japanese companies starting from mid of April 2022. In this article, NTT reports a detailed analysis of this campaign and discusses the attributes of the attacking group. Read more.

Twisted Panda: Chinese APT espionage operation against Russian’s state-owned defense institutes

Source: Check Point Research

In the past two months, CPR observed multiple APT groups attempting to leverage the Russia and Ukraine war as a lure for espionage operations. Read more.

Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices

Source: Microsoft 365 Defender Research Team

A 254% increase in activity from a Linux trojan called XorDdos. First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its denial-of-service-related. Read more.

Vidar distributed through backdoored Windows 11 downloads and abusing Telegram

Source: zscaler

In April 2022, ThreatLabz discovered several newly registered domains, which were created by a threat actor to spoof the official Microsoft Windows 11 OS download portal. Read more.

In information security, the ability to predict and adapt to the behaviors of criminals can help organizations improve defense strategies against cyber threats.

We can do this through the use of threat intelligence where data comprised of past and current indicators of compromise (IOCs) is analyzed to block access to malicious resources, to alert about security breaches, and for threat hunting initiatives, among other initiatives.

Organizations usually outsource IOC feeds from Threat Intelligence Data Providers, aggregate them with other resources, and integrate them using Threat Intelligence Platforms.

To better understand these concepts, let’s dig deeper and discuss these two terms commonly interchanged by many.

What is a Threat Intelligence Data Provider?

A Threat Intelligence Data Provider is an entity that maintains feeds of indicators of compromise. The data in these feeds is gathered across a global landscape of spambots, honeypots, sandboxes, data sharing, crawlers, and many other sources to cover as many malicious campaigns as possible.

Data from threat intelligence providers is used to help enterprises strategize security measures according to their business goals. It is important to notice that the outcomes of all initiatives derived from threat data will be as good as the IOCs consumed.

Therefore, choosing a dependable Threat Intelligence Data Provider is a critical step.

What are some examples of IOCs?

Command & Control addresses + MITRE ATT&CK

Most malware and ransomware families utilize command and control (C2) systems to gather instructions on which institutions to target, and relay stolen data and credentials, such as exchange encryption keys.

Through C2s the hackers control the entire botnets of infected computers. Most often than not, traffic to C2s is encrypted and disguised as regular Internet communication.

DNS-over-HTTPS (DoH) Resolvers

DoH, or DNS over HTTPS (RFC 8484), is a relatively new protocol that provides increased privacy and security. It does this by encrypting DNS queries and responses, which prevents eavesdropping and man-in-the-middle attacks.

Instead of using a regular DNS resolver, queries are encrypted and sent to a DoH-enabled server, making them indistinct from web traffic. Unfortunately, this means that DNS Firewalls are bypassed, private hostnames may be leak, and incident response and threat hunting become far more complex.

This way, tech support troubleshooting changes significantly. Since, now applications and the operating system use distinct resolvers, among other issues.

Anti-Mining

Cryptocurrency mining, also known as crypto mining, is the process responsible for verifying transactions from a public ledge and consequently creating new coins. Hackers lure their targets by getting them to click on a malicious link in an email that loads crypto mining code on the computer. They also do this by infecting them with Javascript code that uses the victim’s browser and computer resources for mining without the users’ consent.

What is a Threat Intelligence Platform?

A Threat Intelligence Platform (TIP) is a solution that organizations use to aggregate multiple threat data feeds, conduct event correlation and analysis, and perform adversary profiling.

Traditionally, analysts have to discern a large number of alerts into valid and false positives. With TIP, information gathered from multiple resources is analyzed within the platform. This way, it can give security teams more time to focus on incident response and proactive prevention strategies.

In addition, It usually integrates with Security Information and Event Management (SIEM) or Security Orchestration, Automation and Response (SOAR), and a ticketing system to perform event correlation and generate alerts for the incident response team.

Key Functions of TIP

Aggregation of Threat Intelligence Data

You can find Threat intelligence data feeds in different formats, including CSV, JSON, and STIX.

Apart from external resources, enterprises must also include internal sources. Such as network logs. A TIP then is in charge of the aggregation and deduplication of the data.

Threat Analysis

Together with the SIEM, TIP analyzes the threat indicators to sift through the data and remove information that isn’t relevant. Then, it sorts the data into valid threats and eliminates false positives. It also profiles analyzed information into potential threats as it tries to find patterns from historical data. Some TIPs also have risk-scoring capabilities.

Incident Response

In the event of an attack, the platform triggers a workflow that responds to the threat, while allowing human intervention when needed.

How Can We Help?

Malware Patrol offers a wide variety of IOC feeds for commercial and research purposes.

The data we provide is, verified by our cybersecurity experts to lay out actionable indicators and protect customers against malware infections and data breaches.

For ease of use, the feeds are formatted for compatibility with the common threat intelligence platforms in the market. To know more, you can contact us and our cybersecurity experts will get in touch with you.

Malware Patrol + FortiSIEM

Malware Patrol offers (5) Enterprise* feeds formatted for integration into FortiSIEM. This allows users to combine the quality of Fortinet’s SIEM security platform with the protection from our threat intelligence. Customers can choose the feed(s) that meet their needs:

• DNS-over-HTTPS (DoH) Servers (domains)
• Malicious Domains
• Malicious Hashes
• Malicious IPs
• Malware/Ransomware URLs

*These feeds are not available for free or paid blocklists, or Business Protect customers. Find more details about our Enteprise offerings here.

We offer free evaluations of our Enterprise feeds, including those for FortiSIEM. To request your evaluation, complete our request form.

 

About FortiSIEM

“FortiSIEM brings together visibility, correlation, automated response, and remediation in a single, scalable solution. It reduces the complexity of managing network and security operations to effectively free resources, improve breach detection, and even prevent breaches. What’s more is that [the] architecture enables unified data collection and analytics from diverse information sources including logs, performance metrics, security alerts, and configuration changes. FortiSIEM combines the analytics traditionally monitored in separate silos of the security operations center (SOC) and network operations center (NOC) for a more holistic view of the security and availability of the business.” “FortiGuard Threat Intelligence and Indicators of Compromise (IOC) and Threat Intelligence (TI) feeds from commercial, open source, and custom data sources integrate easily into the security TI framework. This grand unification of diverse sources of data enables organizations to rapidly identify root causes of threats, and take the steps necessary to remediate and prevent them in the future. Steps can often be automated with new Threat Mitigation Libraries for many Fortinet products. External Threat Intelligence Integrations

• APIs for integrating external threat feed intelligence — Malware domains, IPs, URLs, hashes, Tor nodes
• Built-in integration for popular threat intelligence sources — ThreatStream, CyberArk, SANS, Zeus, ThreatConnect
• Technology for handling large threat feeds — incremental download and sharing within cluster, real-time pattern
  matching with network traffic. All STIX and TAXII feeds are supported”

 

Adding External TI to FortiSIEM

The following are instructions to configure each of our data feeds on FortiSIEM version 6.4.0 (1412) using the web interface.

 

DNS-over-HTTPS (DoH) Domains

Benefits of the Malware Patrol DoH Data Feed

We developed this feed to help security teams monitor the use of DoH in their environment. Our tools actively search for new DoH servers on a continuous basis to keep this data fresh. DoH allows users to bypass the DNS-level controls and internet usage policies put in place to protect your network against known threats and threat actors are taking advantage of this by using DoH for C2 server connections, for example. As such, both incoming and outgoing DoH traffic should be closely monitored for indications of malicious activity.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Domains from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Domains group.

4) Enter a group name. We will use Malware Patrol – DoH to distinguish this feed from the Malware Patrol Malicious Domains previously entered.

5) Click save. The Malware Patrol – DoH group will now appear under the Malware Domains section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the screen that pops up choose Update via API and click on the edit (pencil) button.

9) Enter the following to set up the feed update:

• URL of your Malware Patrol DoH feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

10) In the Data Mapping section, match the following:

• Domain Name, Position 1
• Description, Position 2
• Last Seen, Position 3

11) Click Save

12) Click on the Schedule: + button

13) On the screen that pops up, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process to know which fields are available in the Malware Patrol feed.

 

Malicious Domains

Benefits of the Malware Patrol Malicious Domains Data Feed

This Malware Patrol feed contains domains actively involved in malicious activities. The data is derived from five of our Enterprise feeds: 1) Anti-Mining, 2) Command & Control (C2) Addresses, 3) Domain Names Generated via DGAs, 4) Malware & Ransomware URLs, and 5) Phishing URLs. Network traffic associated with these domains is highly likely to be malicious.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Domains from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Domains group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware Domains section. 6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the screen that pops up choose Update via API.

9) Click on the edit (pencil) button for the URL.

10) Enter the following to set up the feed update:

• URL of your Malware Patrol Malicious Domains feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

11) In the Data Mapping section, match the following:

• Domain Name, Position 1
• Malware Type, Position 2
• Description, Position 3
• Date Found, Position 4
• Last Seen, Position 5

12) Click Save

13) Click on the Schedule: + button

14) On the screen that pops up, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

15) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

16) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.    

 

Malicious IPs

Benefits of the Malware Patrol Malicious IPs Data Feed

This feed contains IP addresses known to actively host malicious files and C2 systems for malware and ransomware. Monitoring traffic destined to them is an effective network protection measure and provides valuable information for threat hunting purposes.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware IPs from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware IPs group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware IPs section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the next screen, choose Update via API and click on the edit (pencil) button.

9) Enter the following to set up the feed update:

• URL of your Malware Patrol Malicious IPs feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

•  

10) In the Data Mapping section, match the following:

• Name, Position 1
• Low IP, Position 2
• Malware Type, Position 3
• Description, Position 4
• Date Found, Position 5
• Last Seen, Position 6

11) Click Save

12) Click on the Schedule: + button

13) On the next screen, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

 

Malware Hashes

Benefits of the Malware Patrol Malware Hashes Data Feed

This feed contains the SHA-1 hashes of malware and ransomware samples currently available on the internet. Encountering these signatures in your environment is a sign of malicious activity.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Hash from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Hash group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware Hash section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the next screen, choose Update via API and click on the edit (pencil) button..

9) Enter the following to set up the feed update:

• URL of your Malware Patrol Malware Hashes feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

10) In the Data Mapping section, match the following:

• Description, Position 1
• Algorithm, Position 2
• HashCode, Position 3
• Malware Type, Position 4
• Date Found, Position 5
• Last Seen, Position 6

11) Click Save

12) Click on the Schedule: + button

13) On the next screen, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

 

Malware URLs

Benefits of the Malware/Ransomware URLs Data Feed

This feed contains URLs known to be hosting malware binaries. It is updated hourly to remove inactive URLs and add newly detected ones. Correlating this feed with network traffic can pinpoint a potential malware infection.

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware URLs from the menu on the left.

3) Click + button at the upper left-hand side of this menu to add a new Malware URLs group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware URLs section.

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

8) On the next screen, choose Update via API and click on the edit (pencil) button.

9)  Enter the following to set up the feed update:

• URL of your Malware Patrol Malware URLs feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
• Your Malware Patrol portal username and password
• Plugin Class: no changes
• Field separator: ,
• Data format: CSV
• Data update: Full

10) In the Data Mapping section, match the following:

• URL, Position 1
• Malware Type, Position 2
• Last Seen, Position 3

11) Click Save

12) Click on the Schedule: + button

13) On the next screen, enter:

• Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
• Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
• Recurrence:
  • Start From: Today’s Date
  • End Date: No End Date
• Click Save

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future.

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

 

If you need any assistance with your FortiSIEM integration, please email support (@) malwarepatrol.net or contact your Account Manager.