Technical Note: How to use FortiSIEM to detect activities related the DarkSide Ransomware
Description
This article describes how to use custom Rules and Reports to detect activities that may be related to the DarkSide Ransomware.
For more information on the threat, see the FortiGuard Lab Threat Signal Report:
Colonial Pipeline Attack Attributed to DarkSide Ransomware Group
What is included in Fortinet_FortiSIEM_SOC-DarkSide-Detection.zip?
1. DARKSIDE_Report_v1.xml
The reports can be ran on historical data looking for indicators associated with DarkSide.
See the Solution section for instruction on how to load these into a FortiSIEM
Scope
The custom Rules and Reports can be loaded into FortiSIEM 5.x and 6.x versions.
Solution
All screen shots provided below for illustration purposes are taken from FortiSIEM 6.x
1. Download the Fortinet_FortiSIEM-DarkSide-Detection.zip file (contains 2 file)
2. Unzip Fortinet_FortiSIEM-DarkSide-Detection.zip
3. Use DARKSIDE_Report_v1.xml as the file to import the Reports
a. Navigate to Resource / Reports
b. It is recommended that a new group under Resource / Reports / Security is created called “DARKSIDE Attack” and reports are imported to this group.
d. Select the Import option under "More"
e. Select DARKSIDE_Report_v1.xml and import.
4. Use DARKSIDE_Rule_v1.xml as the file to import the Rules
a. Navigate to Resource / rules
b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “DARKSIDE Attack” and rules are imported to this group.
d. Click the Import
e. Select DARKSIDE_Rules_v1.xml and import.
f. Filter the rules on DARKSIDE and ensure that they are Enabled.
Imported and enabled Rules
Imported Reports
Example Incidents
This article describes how to use custom Rules and Reports to detect activities that may be related to the DarkSide Ransomware.
For more information on the threat, see the FortiGuard Lab Threat Signal Report:
Colonial Pipeline Attack Attributed to DarkSide Ransomware Group
What is included in Fortinet_FortiSIEM_SOC-DarkSide-Detection.zip?
1. DARKSIDE_Report_v1.xml
The reports can be ran on historical data looking for indicators associated with DarkSide.
2. DARKSIDE_Rule_v1.xml
The Rules will detect indicators associated with DarkSide in real time.See the Solution section for instruction on how to load these into a FortiSIEM
Scope
The custom Rules and Reports can be loaded into FortiSIEM 5.x and 6.x versions.
Solution
All screen shots provided below for illustration purposes are taken from FortiSIEM 6.x
1. Download the Fortinet_FortiSIEM-DarkSide-Detection.zip file (contains 2 file)
2. Unzip Fortinet_FortiSIEM-DarkSide-Detection.zip
3. Use DARKSIDE_Report_v1.xml as the file to import the Reports
a. Navigate to Resource / Reports
b. It is recommended that a new group under Resource / Reports / Security is created called “DARKSIDE Attack” and reports are imported to this group.
d. Select the Import option under "More"
e. Select DARKSIDE_Report_v1.xml and import.
4. Use DARKSIDE_Rule_v1.xml as the file to import the Rules
a. Navigate to Resource / rules
b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “DARKSIDE Attack” and rules are imported to this group.
d. Click the Import
e. Select DARKSIDE_Rules_v1.xml and import.
f. Filter the rules on DARKSIDE and ensure that they are Enabled.
Imported and enabled Rules
Imported Reports
Example Incidents