FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
keithli_FTNT
Staff
Staff

Description

This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect attack attempts to exploit a Remote Code Execution Vulnerability in Apache Log4j2. The vulnerability is assigned CVE-2021-44228.

 

For more information about this attack, see the following FortiGuard Outbreak Alert

FortiGuard Outbreak Alert - Log4j2 Vulnerability

 

What is included in Fortinet_SOC-Log4j2-Detection-v3.zip?
1. log4j2_event-handler.json
This event handler helps identify exploit attempts detected by FortiGate's AV, IPS and App Control detection as well as FortiClient’s Application Firewall. Logs triggering the event handler are generated from the FortiGate and FortiClient. Therefore, their corresponding AV and IPS signatures should be kept up to date to prevent and log the exploits.

2. log4j2_report.dat
A report to summarize findings on attack attempts found in FortiGate and FortiClient logs.

 

3.fgt_log4j2_event-handler.json

The event handler for FortiGate ADOMs.

 

4. fgt_log4j2_report.dat

The report for FortiGate ADOMs.

 

Scope

The custom Event Handler and Report provided can be used in FortiAnalyzer 6.4+.

Solution

All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.
1) Download the Fortinet_SOC-Log4j2-Detection-v3.zip file (contains 4 files)
2) Unzip Fortinet_SOC-Log4j2-Detection-v3.zip
3) Use log4j2_event-handler.json or fgt_log4j2_event-handler.json to import into Event Handlers
- Choose an ADOM (if ADOMs are enabled). ADOM may be of type Fabric or FortiGate.
- Choose the FortiSOC module
- Select Event Handler List
- Select the Import option under "More"
- Select log4j2_event-handler.json for Fabric ADOMs or fgt_log4j2_event-handler.json for FortiGate ADOMs.
EventHandlerList-FortiDemo.png

 

Result:

The event handler is enabled and will be triggered if the appropriate logs are received after the event handler was imported

 

4) Use log4j2_report.dat or fgt_log4j2_report.dat to import into Reports
- Choose an ADOM (if ADOMs are enabled). ADOM may be of type Fabric or FortiGate.
- Choose the Report module
- Select the Import option under "More"
- Select log4j2_report.dat for Fabric ADOMs or fgt_log4j2_report.dat for FortiGate ADOMs.

ImportReport.png

 

Result:

Log4j2_Vulnerability_report’ can be run anytime as determined by an admin user.

 

Comments
ck_FTNT
Staff
Staff

The error "adom type mismatching" when uploading "Log4j2 Report.dat" means you are not uploading the report to a Fabric type ADOM as mentioned in step 4).

 

image.png

image.png

 

https://docs.fortinet.com/document/fortianalyzer/6.4.7/administration-guide/718923/root-adom