Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
FSM_FTNT
Staff
Staff

Created on ‎12-14-2021 04:30 AM Edited on ‎12-20-2021 12:51 PM By Anonymous

Article Id 201082

Technical Tip: How to use FortiSIEM to detect activities related to the log4shell vulnerability CVE-2021-44228

Description

This article describes how to use custom Rules and Reports to help detect activity related to the log4j vulnerability CVE-2021-44228.

 

What is included in Fortinet_FortiSIEM-log4j-Detection-v1.zip?


1) FortiSIEM_log4j_Rules_v2.xml.


These Rules help identify exploit attempts detected by FortiGate's IPS, or Events categorised as Permitted Traffic with the URI or HTTP content (see rules for specific attributes) that match a particular regex pattern.

 

2) FortiSIEM_log4j_Reports_v2.1.xml.

 

These Reports can be run on a schedule or on-demand and help identify exploit attempts detected by FortiGate's IPS, or Events categorised as Permitted Traffic with the URI or HTTP content (see rules for specific attributes) that match a particular regex pattern.

 

For more information about this attack, see the following FortiGuard Outbreak Alert: FortiGuard Outbreak Alert - Log4j2 Vulnerability

 

Updated: 2021-12-17 - revision 2, changes to the "Log4J Exploit Request Detected By Regex" Rule to increase the scope and reduce false positives.

Updated: 2021-12-20 - no change in content, but revised Report file naming to v2 in line with Solution steps below. The report content remains the same.

Updated: 2021-12-20 - updated Reports to version 2.1. Provides better support for import on some FortiSIEM versions.
Scope The custom Rules and Reports provided can be used in FortiSIEM 6.x.
Solution

All screenshots provided below for illustration purposes are taken from FortiSIEM 6.3.2.

 

1) Download the Fortinet_FortiSIEM-log4j-Detection-v2.zip file (contains 2 file).

 

2) Unzip Fortinet_FortiSIEM-log4j-Detection-v2.zip

 

3) Use FortiSIEM_log4j_Reports_v2.1.xml  as the file to import the Reports
- Navigate to Resource / Reports.
- It is recommended to create a new group under Resource / Reports / Security called 'log4j Exploit Detection' and import reports to this group.
- Select the Import option under More.
- Select FortiSIEM_log4j_Reports_v2.1.xml  and import.

 

4) Use FortiSIEM_log4j_Rules_v2.xml  as the file to import the Rules
- Navigate to Resource / Rules.
- It is recommended to create a new group under Resource / Rules / Security / Threat Hunting is created called 'log4 Exploit Detection' and import the rules to this group.
- Select the Import.
- Select FortiSIEM_log4j_Rules_v2.xml  and import.
- Filter the rules on log4j and ensure it is enabled.

 

 

Imported and enabled Rules

log4j_Rules_v1.png

 

Imported Reports

log4j_Reports_v1.png

 
Fortinet_FortiSIEM-log4j-Detection-v2.zip
Labels:
4243
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.