Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.


Sunburst APT - FortiSIEM Forensic Reports

As you're no doubt aware, the recently discovered Sunburst hack of Solarwinds tools has caused extreme consternation. Many users will be wondering if Sunburst has been active in their network. For this attack, there are numerous indicators of compromise (IOCs), a number of which I've tried to capture in the attached FortiSIEM reports.

Who can use it

So far, it seems that Sunburst effects the SolarWinds Orion tool, so shops using this tool ought to look for IOCs. Anyone who needs a means of searching for IOCs in the event history can make use of these reports.

How it works

Import the attached XML file into FortiSIEM reports, perhaps first creating a custom directory to hold the 4 reports.

These reports scan historical events (based on a user-selected timeframe) for host names & IPs known to be associated with Sunburst. Any results shown in these reports will show communication to or from hosts associated with this attack.

There are two sets of reports, one for inbound, another for outbound activity. This is done for legibility.
There are also two versions of in & outbound. They show the same data, but one version searches using a 'contains' operator and is the more exhaustive, but perhaps longer running query. If you choose to run the exhaustive reports, there's no reason to run the quicker ones.

I imagine the outbound activity reports may be more likely to find suspicious events, but I haven't had the opportunity to try this yet on a network with a compromised instance of SolarWinds Orion.


These reports should be considered a basic means of looking for Sunburst activity. They're not exhaustive; if no results are shown, an infection could still be present. Since Sunburst operates as an APT, these reports should be run across many weeks or months of event history, keeping in mind they may take some time to run.