Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
FSM_FTNT
Staff
Staff

Created on ‎12-09-2021 05:30 AM Edited on ‎12-14-2021 04:31 AM

Article Id 200675

Technical Tip: How to use FortiSIEM to detect activities related to the Emotet malware

Description

This article describes how to use a custom Rules and Reports to detect activities related to the Emotet malware, which has been detected in spam campaigns recently.

 

What is included in Fortinet_FortiSIEM-Emotet-Malware-Detection.zip?
1. FortiSIEM_Emotet_Rules.xml 
These Rules help identify exploit attempts detected by FortiGate's AV, IPS, and App Control detection. It also relies on FortiClient’s AV, Vulnerability, and web filter detection, and on FortiSandbox detection. Logs triggering the Rules are generated from FortiGate, FortiClient, and FortiSandbox. It is, therefore, essential that the corresponding AV signatures in each of these is kept up-to-date to prevent and log the exploits.


2. FortiSIEM_Emotet_Reports.xml 

These Reports can be run on a schedule or on-demand and help identify exploit attempts detected by FortiGate's AV, IPS, and App Control detection. It also relies on FortiClient’s AV, Vulnerability, and web filter detection, and on FortiSandbox detection. Logs within the Reports are generated from FortiGate, FortiClient, and FortiSandbox. It is, therefore, essential that the corresponding AV signatures in each of these is kept up-to-date to prevent and log the exploits. The reports also look for defined and specific file hashes that have been seen to be related to Emotet.

Scope

 

The custom Rules and Reports provided can be used in FortiSIEM 6.2+.

 

Solution

 

All screenshots provided below for illustration purposes are taken from FortiSIEM 6.3.2.

 

1. Download the Fortinet_FortiSIEM-Emotet-Malware-Detection.zip file (contains 2 file)

 

2. Unzip Fortinet_FortiSIEM-Emotet-Malware-Detection.zip

 

3. Use FortiSIEM_Emotet_Reports.xml  as the file to import the Reports
a. Navigate to Resource / Reports
b.  It is recommended to create a new group under Resource / Reports / Security called “Emotet Attack” and import reports to this group.
d. Select the Import option under More.
e. Select FortiSIEM_Emotet_Reports.xml  and import.

 

4. Use FortiSIEM_Emotet_Rules.xml  as the file to import the Rules
a. Navigate to Resource / Rules
b. It is recommended to create a new group under Resource / Rules / Security / Threat Hunting is created called “Emotet Attack” and import the rules to this group.
d. Click the Import
e. Select FortiSIEM_Emotet_Rules.xml  and import.
f. Filter the rules on Emotet and ensure it is enabled.

 

Imported and enabled Rules

Emotet Rules.png

 

Imported Reports

 

Emotet Reports.png

Fortinet_FortiSIEM-Emotet-Malware-Detection.zip
Labels:
927
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.