FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
FSM_FTNT
Staff
Staff
Article Id 228601
Description

This article describes how to use custom Rules in FortiSIEM to perform an incident response to attacks that attempt to leverage the Apache Commons Text Interpolation Remote Code Execution vulnerability. A report is also provided to gain historical visibility into the log.


The article will be continually updated as more information becomes available.

Scope

This article applies to FortiSIEM.

 

The Rules and Reports leverage logs from other FortiNet products that can be used to detect the attack in addition to FortiGate logs.

 

For more information about this attack, see the following FortiGuard Outbreak Alert: https://www.fortiguard.com/outbreak-alert/prestige-ransomware

Solution

1) Download Fortinet_FortiSIEM_Prestige_Ransomware.zip, which is attached to this article.

The .zip archive contains the following items:

 


- A FortiSIEM Rule to help with detection.


- A FortiSIEM Report to help with historical reporting.

 

2) Import the reports from the FortiSIEM_Prestige_Ransomware_Report_v1.xml file contained in the .zip archive:

 

- Navigate to Resource/Reports.


- It is recommended to create a new group under Resource/Reports/Security called 'FortiSIEM Prestige Ransomware' and import reports to this group.
- Select the Import option under More.


- Select FortiSIEM_Prestige_Ransomware_Report_v1.xml and import it.

 

3) Import Rules from the FortiSIEM_Prestige_Ransomware_Rules_v1.xml file contained in the .zip archive:

 


- Navigate to Resource/Rules.


- It is recommended to create a new group under Resource/Rules/Security/ Threat Hunting is created called 'Fortinet FortiSIEM Prestige Ransomware' and import the rules to this group.

- Select Import.
- Select FortiSIEM_Prestige_Ransomware_Rules_v1.xml and import it.

 


FortiSIEM provides content packs for easy installation of these Rules and Reports.

Contributors