Description |
This article describes how to use custom Rules in FortiSIEM to perform an incident response to attacks that attempt to leverage the Apache Commons Text Interpolation Remote Code Execution vulnerability. A report is also provided to gain historical visibility into the logs. |
Scope |
This article applies to FortiSIEM.
The Rules and Reports leverage logs from other FortiNet products that can be used to detect the attack in addition to FortiGate logs.
For more information about this attack, see the following Outbreak Alert: https://fortiguard.fortinet.com/outbreak-alert/apache-commons-text-rce |
Solution |
1) Download Fortinet_FortiSIEM_CVE-2022-42889.zip, which is attached to this article. The following items are included in the .zip archive:
- A FortiSIEM Rule to help with detection. - A FortiSIEM Report to help with historical reporting.
2) Import the Reports from FortiSIEM_CVE-2022-42889_Reports_v1.xml:
- Navigate to Resource/Reports.
- It is recommended to create a new group under Resource/Reports/Security called ‘FortiSIEM Apache CVE-2022-42889’ and import reports to this group. - Select FortiSIEM_Apache_CVE-2022-42889_Reports_v1.xml and import it.
3) Import the Rules from FortiSIEM_Apache_CVE-2022-42889_Rules_v1.xml:
- Navigate to Resource/Rules. - It is recommended to create a new group under Resource/Rules/Security/Threat Hunting/ called 'FortiSIEM Apache CVE-2022-42889 Rules’ and import the rules to this group. - Select the Import.
FortiSIEM provides content packs for easy installation of these Rules and Reports. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.