FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.

This article describes how to use a custom event handler in FortiAnalyzer to raise alerts for incident response related to attacks which attempt to exploit a remote code execution vulnerability in Microsoft HTTP protocol stack.


The vulnerability is due to an improper boundary check condition in the protocol when handling a crafted HTTP request.

A remote attacker may be able to exploit this to execute arbitrary code within the context of the application, via a crafted HTTP request.


This vulnerability is assigned CVE-2022-21907.


For more information about this attack, see the following FortiGuard Outbreak Alert.


FortiGuard Outbreak Alert - WinHTTP Protocol Stack RCE


What is included in


1) Windows HTTP Protocol Stack RCE_event-handler.json

This event handler helps identify attacks which attempt to exploit a remote code execution vulnerability in Microsoft HTTP protocol stack detected by FortiGate, FortiClient and FortiSandbox logs.


2) Windows HTTP Protocol Stack RCE_report.dat

This report displays the findings on the HTTP protocol stack RCE outbreak from FortiGate, FortiClient and FortiSandbox logs.


3) fgt_Windows HTTP Protocol Stack RCE_event-handler

The event handler for FortiGate ADOMs which is configured for FortiGate logs only.


4) fgt_Windows HTTP Protocol Stack RCE_report.dat

The report for FortiGate ADOMs which includes FortiGate charts only.


This event handler and report helps to detect outbreak based on the FortiGate AV, IPS and App Control detections, FortiClient AV, Vulnerability and Web Filter detections, as well as FortiSandbox detections.


All screenshots provided below for illustration purposes are taken from FortiAnalyzer 7.0.3.


1) Download the file (contains 4 files).


2) Unzip


3) Use Windows HTTP Protocol Stack RCE_event-handler.json or fgt_Windows HTTP Protocol Stack RCE_event-handler.json to import into Event Handlers:

- Choose an ADOM (if ADOMs are enabled). ADOM may be of type Fabric or FortiGate:

- Choose the FortiSOC module.

- Select Event Handler List.

- Select the Import option under More.

- Select the appropriate event handler depending on your ADOM type.





The event handler is enabled and will be triggered if the appropriate logs are received following the import of the event handler. You may wish to edit the event handler to customize the notification section.


4) Use Windows HTTP Protocol Stack RCE_report.dat or fgt_Windows HTTP Protocol Stack RCE_report.dat to import into Reports:

- Choose an ADOM (if ADOMs are enabled). ADOM may be of type Fabric or FortiGate.
- Choose the Report module
- Select the Import option under "More"

- Select the appropriate file for the ADOM type to add the report to the ADOM.





The (fgt_)Windows HTTP Protocol Stack RCE_report can be run anytime as determined by an admin user.