Technical Tip: Using FortiSIEM to detect Confluence RCE | CVE-2022-26134

This article describes how to use a custom Rules in FortiSIEM to raise alerts for incident response related to attacks that attempt to exploit the remote code execution vulnerability CVE-2022-26134.

For more information, check the FortiGuard outbreak alert.

FortiSIEM

1) Use Fortinet_FortiSIEM_Confluence_RCE_Reports_v1.xml as the file to import the Reports.

- Navigate to Resource / Reports.
- It is recommended to create a new group under Resource / Reports / Security called 'Confluence RCE' and import reports to this group.

- Select the Import option under More.
- Select Fortinet_FortiSIEM_Confluence_RCE_Reports_v1.xml and import.

2) Use Fortinet_FortiSIEM_Confluence_RCE_Rules_v1.xml as the file to import the Rules.

- Navigate to Resource / Rules.
- It is recommended to create a new group under Resource / Rules / Security / Threat Hunting is created called 'Confluence RCE' and import the rules to this group.

- Select the Import.

- Select Fortinet_FortiSIEM_Follinat_Confluence_RCE_v1.xml and import.

- Select the Import.

- Select Fortinet_FortiSIEM_Follina_Confluence_RCE_v1.xml and import.
- Validate that these Rules are enabled.

FortiSIEM provides content packs for easy installation of these Rules and Reports:

6.4.0, 6.4.1
https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/content_updates.htm#Content9

6.5.0
https://help.fortinet.com/fsiem/6-5-0/Online-Help/HTML5_Help/content_updates.htm#Content3

What is included in Fortinet_FortiSIEM_Confluence_RCE.zip?

- A FortiSIEM Rule to help with detection.
- A FortiSIEM Report to help with historical reporting.