FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
keithli_FTNT
Staff
Staff

Description

This article describes how to use a custom Event Handler in FortiAnalyzer to detect activities related to exploits of Zoho ManageEngine ServiceDesk Plus, which is vulnerable to unauthenticated remote code execution. The vulnerability is assigned CVE-2021-44077.

 

What is included in Fortinet_SOC-Zoho-Malware-Detection.zip?
1. Zoho Exploit_event-handler.json
This event handler helps identify exploit attempts detected by FortiGate's AV, IPS and App Control detection. Also, it relies on FortiClient’s AV, Vulnerability and web filter detection as well as FortiSandbox detection. Logs triggering the event handler are generated from the FortiGate, FortiClient and FortiSandbox. Therefore, their corresponding AV signature should be kept up to date to prevent and log the exploits.

Scope

The custom Event Handler provided can be used in FortiAnalyzer 6.4+.

 

Solution

All screenshots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.
1) Download the Fortinet_SOC-Zoho-Malware-Detection.zip file (contains 2 files)
2) Unzip Fortinet_SOC-Zoho-Malware-Detection.zip
3) Use Zoho Exploit_event-handler.json to import into Event Handlers
     a. Choose an ADOM (if ADOMs are enabled)
     b. Choose the FortiSOC module
     c. Select Event Handler List
     d. Select the Import option under "More"
     e. Select Zoho Exploit_event-handler.json
EventHandlerList-FortiDemo.png

 

Result:

Zoho Exploit_event-handler.json is enabled and will be triggered if the appropriate logs are received after the event handler was imported

 

Related

https://www.fortiguard.com/outbreak-alert/zoho-exploit 

Contributors