Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
FSM_FTNT
Staff
Staff

Created on ‎12-06-2022 05:08 AM Edited on ‎04-17-2024 05:10 PM By Staff

Article Id 232371

Technical Tip: Using FortiSIEM Content Updates to detect activities identified by FortiGuard Outbreaks service

Description

This article describes how the Rules and Reports the FortiSIEM Content Update service provides access to in order to detect potential incidents or compromises.
Scope

This article applies to FortiSIEM.

 

The Rules and Reports provided with the Outbreak Alerts leverage logs from other Fortinet products that can be used to detect the attacks.

 

For more information about FortiGuard Outbreak Alerts visit https://www.fortiguard.com/outbreak-alert.

 

FortiSIEM Content Update requires an active support subscription to allow access to the latest updates.
Solution

For steps on how to apply the latest content update, visit https://help.fortinet.com/fsiem/6-7-0/Online-Help/HTML5_Help/content_update.htm.

Content update 329 (6.6.x), 421 (6.7.x), 514 (7.0.x), 607 (7.1.x) adds detection of the following outbreaks:

  •   Outbreak: Nice Linear eMerge Command Injection Vuln Detected on Network
  •   Outbreak: Sunhillo SureLine Command Injection Attack Detected on Network
  •   Outbreak: Sunhillo SureLine Command Injection Attack Detected on Host
  •   Outbreak: PAN OS GlobalProtect Command Injection Vuln Detected on Network
  •   Outbreak: PAN OS GlobalProtect Command Injection Vuln Detected on Host

 

Content update 328 (6.6.x), 420 (6.7.x), 513 (7.0.x), 606 (7.1.x) adds detection of the following outbreaks:

  • Outbreak: ConnectWise ScreenConnect Attack Detected on Network
  • Outbreak: ConnectWise ScreenConnect Attack Detected on Host

 

Content update 325 (6.6.x), 417 (6.7.x), 510 (7.0.x), 604 (7.1.x) adds detection of the following outbreaks:

  • Outbreak: Ivanti Connect Secure and Policy Secure Attack Detected on Network

 

Content update 324 (6.6.x), 416 (6.7.x), 509 (7.0.x), 603 (7.1.x) adds detection of the following outbreaks:

  • Outbreak: Microsoft SharePoint Server Elevation of Privilege Vuln Detected on Network
  • Outbreak: Microsoft SharePoint Server Elevation of Privilege Vuln Detected on Host
  • Outbreak: Adobe ColdFusion Access Control Bypass Attack Detected on Network
  • Outbreak: Adobe ColdFusion Access Control Bypass Attack Detected on Host
  • Outbreak: Androxgh0st Malware Attack Detected on Network
  • Outbreak: Androxgh0st Malware Attack Detected on Host 

 

Content update 323 (6.6.x), 415 (6.7.x), 508 (7.0.x), 602 (7.1.x) adds detection of the following outbreaks:

  • Outbreak: Lazarus RAT Attack Detected on Network
  • Outbreak: Lazarus RAT Attack Detected on Host
  • Outbreak: JetBrains TeamCity Authentication Bypass Attack Detected on Network
  • Outbreak: JetBrains TeamCity Authentication Bypass Attack Detected on Host

 

Content update 322 (6.6.x), 414 (6.7.x), 507 (7.0.x), 601 (7.1.x) adds detection of the following outbreaks:

  • Outbreak: Citrix Bleed Attack Detected on Network
  • Outbreak: Apache ActiveMQ Ransomware Attack Detected on Network
  • Outbreak: Apache ActiveMQ Ransomware Attack Detected on Host

 

Content update 224 (6.5.x), 321 (6.6.x), 413 (6.7.x), 506 (7.0.x) adds detection of the following outbreaks:

  • Outbreak: Cisco IOS XE Web UI Attack Detected on Network
  • Outbreak: HTTP2 Rapid Reset Attack Detected on Network
  • Outbreak: HTTP2 Rapid Reset Attack Detected on Host

 

Content update 223 (6.5.x), 320 (6.6.x), 412 (6.7.x), 505 (7.0.x) adds detection of the following outbreaks:

  • Outbreak: Google Chromium WebP Vuln Detected on Network
  • Outbreak: Google Chromium WebP Vuln Detected on Host

 

Content update 222 (6.5.x), 319 (6.6.x), 411 (6.7.x), 504 (7.0.x) adds detection of the following outbreaks:

  • Outbreak: Adobe ColdFusion Deserialization of Untrusted Data Vuln Detected on Network.
  • Outbreak: Adobe ColdFusion Deserialization of Untrusted Data Vuln Detected on Host.
  • Outbreak: WooCommerce Payments Improper Authentication Vuln Detected on Network.
  • Outbreak: WooCommerce Payments Improper Authentication Vuln Detected on Host.
  • Outbreak: Agent Tesla Malware Attack Detected on Network.
  • Outbreak: Agent Tesla Malware Attack Detected on Host.

 

Content update 221 (6.5.x), 318 (6.6.x), 410 (6.7.x), 503 (7.0.0) adds detection of the following outbreaks:

  • Outbreak: Microsoft Office and Windows HTML RCE Vuln Detected on Network.
  • Outbreak: Microsoft Office and Windows HTML RCE Vuln Detected on Host.
  • Outbreak: Zyxel Router Command Injection Attack Detected on Network.
  • Outbreak: Ivanti Endpoint Manager Mobile Authentication Bypass Vuln Detected on Network.
  • Outbreak: Ivanti Endpoint Manager Mobile Authentication Bypass Vuln Detected on Host.

 

Content update 220 (6.5.x), 317 (6.6.x), 409 (6.7.x), 502 (7.0.0) adds detection of the following outbreaks:

  • Outbreak: VMware Aria Operations for Networks Command Injection Vuln Detected on Network.
  • Outbreak: Apache RocketMQ RCE Vuln Detected on Network.
  • Outbreak: SolarView Compact Command Injection Vuln Detected on Network.

 

Content update 316 (6.6.x), 408 (6.7.x), 501 (7.0.x) adds detection of the following outbreaks:

  • Outbreak: Multiple Vendor Camera System Attack Detected on Network.
  • Outbreak: TP-Link Archer AX-21 Command Injection Attack Detected on Network.
  • Outbreak: TP-Link Archer AX-21 Command Injection Attack Detected on Host.
  • Outbreak: Zyxel Multiple Firewall Vuln Detected on Network.
  • Outbreak: Zyxel Multiple Firewall Vuln Detected on Host.
  • Outbreak: Progress MOVEit Transfer SQL Injection Vuln Detected on Network.
  • Outbreak: Progress MOVEit Transfer SQL Injection Vuln Detected on Host.
  • Outbreak: CosmicEnergy Malware Detected on Network.
  • Outbreak: CosmicEnergy Malware Detected on Host.

 

Content update 315 (6.6.x), 407 (6.7.x) adds detection of the following outbreaks:

  •  Outbreak: PaperCut MF/NG Improper Access Control Vulnerability Detected on Network.
  • Outbreak: PaperCut MF/NG Improper Access Control Vulnerability Detected on Host.
  • Outbreak: TBK DVR Authentication Bypass Attack Detected on Network.
  •  Outbreak: Oracle WebLogic Server Vulnerability Detected on Network.

 

Content update 314 (6.6.x), 406 (6.7.x) adds detection of the following outbreaks:

  • Outbreak: Zoho ManageEngine RCE Vulnerability Detected on Network.
  • Outbreak: ThinkPHP Remote Code Execution Vulnerability Detected on Network.
  • Outbreak: ThinkPHP Remote Code Execution Vulnerability Detected on Host.
  • Outbreak: Realtek SDK Attack Detected on Network.
  • Outbreak: Realtek SDK Attack Detected on Host.

 

Content update 313 (6.6.x), 405 (6.7.x) adds detection of the following outbreaks:

  • Outbreak: IBM Aspera Faspex Code Execution Vulnerability Detected on Network.
  • Outbreak: IBM Aspera Faspex Code Execution Vulnerability Detected on Host
  • Outbreak: Joomla! CMS Improper Access Check Vulnerability Detected on Network.
  • Outbreak: Teclib GLPI Remote Code Execution Vulnerability Detected on Network.
  • Outbreak: Progress Telerik UI Attack Detected on Network.
  • Outbreak: Progress Telerik UI Attack Detected on Host.
  • Outbreak: Microsoft Outlook Elevation of Privilege Vulnerability Detected on Network.
  • Outbreak: Microsoft Outlook Elevation of Privilege Vulnerability Detected on Host.
  • Outbreak: 3CX Supply Chain Attack Detected on Network.
  • Outbreak: 3CX Supply Chain Attack Detected on Host.

 

Content update 312 (6.6.x), 404 (6.7.x) adds detection of the following outbreaks:

  • Outbreak: VMware ESXi Server Ransomware Attack Detected on Network.
  • Outbreak: Cacti Server Command Injection Attack Detected on Network.
  • Outbreak: Cacti Server Command Injection Vulnerability Detected on Host.
  • Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on Host.
  • Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on Network.

 

Content update 311 (6.6.x), 403 (6.7.x) adds detection of the following outbreaks:

  • Outbreak: Control Web Panel Login Exploit Detected on Host.
  • Outbreak: Control Web Panel Login Exploit Detected on Network.
  • Outbreak: Router Malware Attack Detected on Host.
  • Outbreak: Router Malware Attack Detected on Network.

 

Content update 310 (6.6.x), 402 (6.7.x) adds detection of the following outbreaks:

  • Outbreak: Atlassian Pre-Auth Arbitrary File Read Vuln detected on Network.
  • Outbreak: Atlassian Pre-Auth Arbitrary File Read Vuln detected on Host.
  • Outbreak: BURNTCIGAR MS Signed Driver Malware detected on Network.
  • Outbreak: BURNTCIGAR MS Signed Driver Malware detected on Host.
  • Outbreak: FortiWeb detected VMware Spring Cloud Func RCE - Vulnerability on Network.
  • Outbreak: VMware Spring Cloud Func RCE Vulnerability on Network.
  • Outbreak: FortiWeb detected Zerobot Botnet Activity on Network.
  • Outbreak: Zerobot Botnet Activity Detected on Host.
  • Outbreak: Zerobot Botnet Activity Detected on Network.

 

Content update 309 (6.6.x), 401 (6.7.0) adds detection of the following outbreaks:

  • Outbreak: VMWare Workspace ONE Vulnerability - CVE-2022-22954 on Network.
  • Outbreak: Redigo Malware Detected on Network.
  • Outbreak: Redigo Malware Detected on Host.
  • Outbreak: FortiOS SSLVPN Heap Buffer Overflow Attack - CVE-2022-42475 Detected on Network.

 

Content update 308 adds the detection of the following outbreaks:

  •  Outbreak: ABB Flow Computer Path Traversal Vulnerability Detected on Network.
  • Outbreak: Sandbreak vm2 sandbox module RCE Vulnerability Detected on Network.
  • Outbreak: Hive Ransomware Detected on Network.
  • Outbreak: Hive Ransomware Detected on Host.
  • Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on Network.
  • Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on Host.
  • Outbreak: CISA Top 20 Vulnerability detected on Host.
  • Outbreak: FortiGate detected CISA's Top 20 Vulnerability on the Network.
  • Outbreak: FortiWeb detected CISA Top 20 Vulnerability on Network.
1201
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.