Technical Tip: Using FortiSIEM to detect Microsoft Exchange ProxyNotShell Vulnerabilities

This article describes how to use custom Rules in FortiSIEM to identify incidents related to attacks that attempt to leverage the Microsoft Exchange ProxyNotShell vulnerabilities.

A report is also provided to gain historical visibility into the logs.

The article will be continually updated as more information becomes available.

The Rules and Reports leverage logs from other Fortinet products that can be used to detect the attack in addition to FortiGate logs.

For more information about this attack, see the following FortiGuard Outbreak Alert: https://fortiguard.fortinet.com/outbreak-alert/msexchange-autodiscover-rce

1) Use FortiSIEM_MicrosoftExchange_ProxyNotShell_Reports_v1.xml as the file to import the Reports.

- Navigate to Resource/Reports.


- It is recommended to create a new group under Resource/Reports/Security called ‘FortiSIEM Microsoft Exchange  ProxyNotShell Reports’ and import reports to this group.
- Select the Import option under More.


- Select FortiSIEM_MicrosoftExchange_ProxyNotShell_Reports_v1.xml and import.

2) Use FortiSIEM_MicrosoftExchange_ProxyNotShell_Rules_v1.xml as the file to import the Rules.


- Navigate to Resource/Rules.


- It is recommended to create a new group under Resource/Rules/Security/ Threat Hunting is created called 'FortiSIEM MicrosoftExchange ProxyNotShell Rules’ and import the rules to this group.

- Select the Import.
- Select FortiSIEM_MicrosoftExchange_ProxyNotShell_Rules_v1.xml and import.


FortiSIEM provides content packs for easy installation of these Rules and Reports.


What is included in Fortinet_FortiSIEM_MicrosoftExchange_ProxyNotShell_Rules_v1.zip?


- A FortiSIEM Rule to help with detection.


- A FortiSIEM Report to help with historical reporting.