Technical Tip: How to use FortiSIEM to detect a “Sunburst”/SolarWinds Hack
Description
This article describes how to use custom Rules and Reports to detect activity that may be related to "Sunburst" backdoor software in a compromised SolarWind’s Orion IT monitoring and management software update system.
For more information on this hack, see the Fortinet blog post:
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack | FortiGuard labs
What is included in Fortinet_FortiSIEM-Sunburst-Detection_v2.zip?
1. SUNBURST_Report_v2.xml
The reports can be ran on historical data looking for indicators associated with Sunburst.
See the Solution section for instruction on how to load these into a FortiSIEM
Scope
Solution
All screen shots provided below for illustration purposes are taken from FortiSIEM 6.x
1. Download the Fortinet_FortiSIEM-Sunburst-Detection_2.zip file (contains 2 file)
2. Unzip Fortinet_FortiSIEM-Sunburst-Detection_2.zip
3. Use SUNBURST_Report_v2.xml as the file to import the Reports
a. Navigate to Resource / Reports
b. It is recommended that a new group under Resource / Reports / Security is created called “SUNBURST Attack” and reports are imported to this group.
c. Select the Import option under "More"
d. Select SUNBURST _Report_v2.xml and import.
4. Use SUNBURST _Rule_v2.xml as the file to import the Rules
a. Navigate to Resource / rules
b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “SUNBURST Attack” and rules are imported to this group.
c. Click the Import
d. Select SUNBURST _Rules_v2.xml and import.
This article describes how to use custom Rules and Reports to detect activity that may be related to "Sunburst" backdoor software in a compromised SolarWind’s Orion IT monitoring and management software update system.
For more information on this hack, see the Fortinet blog post:
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack | FortiGuard labs
What is included in Fortinet_FortiSIEM-Sunburst-Detection_v2.zip?
1. SUNBURST_Report_v2.xml
The reports can be ran on historical data looking for indicators associated with Sunburst.
2. SUNBURST_Rule_v2.xml
The Rules will detect indicators relating to the Sunburst backdoor.See the Solution section for instruction on how to load these into a FortiSIEM
Scope
- The custom Rules and Reports can be loaded into FortiSIEM 5.x and 6.x versions.
- Appropriate logging including deployment of Sysmon is required for logging of events.
- Please see the External System Configuration Guide for details on DNS configuration and Windows Agent Configuration for details.
Solution
All screen shots provided below for illustration purposes are taken from FortiSIEM 6.x
1. Download the Fortinet_FortiSIEM-Sunburst-Detection_2.zip file (contains 2 file)
2. Unzip Fortinet_FortiSIEM-Sunburst-Detection_2.zip
3. Use SUNBURST_Report_v2.xml as the file to import the Reports
a. Navigate to Resource / Reports
b. It is recommended that a new group under Resource / Reports / Security is created called “SUNBURST Attack” and reports are imported to this group.
c. Select the Import option under "More"
d. Select SUNBURST _Report_v2.xml and import.
4. Use SUNBURST _Rule_v2.xml as the file to import the Rules
a. Navigate to Resource / rules
b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “SUNBURST Attack” and rules are imported to this group.
c. Click the Import
d. Select SUNBURST _Rules_v2.xml and import.
e. Filter the rules on SUNBURST and ensure that they are Enabled.
Imported and enabled Rules
Imported Reports
Related Articles
How to use FortiAnalyzer to detect a “Sunburst”/SolarWinds Hack