This article describes how to use a custom event handler in FortiAnalyzer to raise alerts for incident response related to attacks that attempt to leverage the Apache RocketMQ Remote Command Execution Vulnerability. A report is also provided to gain historical visibility into the logs.
This article contains the files necessary to load an event handler and report into the FortiAnalyzer for either a Fabric ADOM or a FortiGate ADOM. The Fabric report and event handler leverage logs from other Fortinet products that can be used to detect the attack in addition to FortiGate logs.
What is included in Fortinet_ Apache RocketMQ Remote Command Execution Vulnerability.zip:
The event handler is enabled and will be triggered if the appropriate logs are received following the import of the event handler.
Edit the event handler to customize the notification section.
The Apache RocketMQ RCE Report can be run anytime as determined by an admin user.