This article describes how to use custom Rules in FortiSIEM to raise incident response related to attacks that attempt to leverage the Hikvision IP Cameras Command Injection Vulnerability.

A report is also provided to gain historical visibility into the logs.

The Rules and Reports leverage logs from other Fortinet products that can be used to detect the attack in addition to FortiGate logs.

For more information about this attack, see the following FortiGuard Outbreak Alert:

https://fortiguard.fortinet.com/outbreak-alert/hikvision-command-injection

1) Use FortiSIEM_Hikvision_Reports_v1.xml as the file to import the Reports.

- Navigate to Resource/Reports.


- It is recommended to create a new group under Resource/Reports/Security called ‘Hikvision Command Injection’ and import reports to this group.
- Select the Import option under More.


- Select FortiSIEM_Hikvision_Reports_v1.xml and import.

2) Use fortiSIEM_Hikvision_Rules_v1.xml as the file to import the Rules.


- Navigate to Resource/Rules.


- It is recommended to create a new group under Resource/Rules/Security/ Threat Hunting is created called 'Himkvision Command Injection’ and import the rules to this group.

- Select the Import.
- Select fortiSIEM_Hikvision_Rules_v1.xml and import.
- Select the Import.
- Select fortiSIEM_Hikvision_Rules_v1.xml and import.


- Validate that these Rules are enabled.


FortiSIEM provides content packs for easy installation of these Rules and Reports:

What is included in Fortinet_FortiSIEM_Hikvision.zip?


- A FortiSIEM Rule to help with detection.


- A FortiSIEM Report to help with historical reporting.