This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect attack attempts to exploit a Remote Code Execution Vulnerability in Apache Log4j2. The vulnerability is assigned CVE-2021-44228.
For more information about this attack, see the following FortiGuard Outbreak Alert:
What is included in Fortinet_SOC-Log4j2-Detection-v3.zip?
This event handler helps identify exploit attempts detected by FortiGate's AV, IPS, and App Control detection as well as FortiClient’s Application Firewall. Logs triggering the event handler are generated from the FortiGate and FortiClient. Therefore, their corresponding AV and IPS signatures should be kept up to date to prevent and log the exploits.
A report to summarize findings on attack attempts found in FortiGate and FortiClient logs.
The custom Event Handler and Report provided can be used in FortiAnalyzer 6.4+.
All screenshots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.
The event handler is enabled and will be triggered if the appropriate logs are received after the event handler is imported
Note: If the 'adom type mismatching' error appears when uploading 'Log4j2 Report.dat', this means the report is not being uploaded to a Fabric type ADOM. Fabric ADOMs support all reports, regardless of the device type used in the charts and datasets. For example, a FortiGate report (fgt_log4j2_report.dat) cannot be imported to an ADOM for a different device type; it can only be imported to a FortiGate or Fabric ADOM.
‘Log4j2_Vulnerability_report’ can be run anytime as determined by an admin user.