Description |
This article describes how to use custom Rules in FortiSIEM to perform an incident response to attacks that attempt to leverage the Apache Commons Text Interpolation Remote Code Execution vulnerability. A report is also provided to gain historical visibility into the log.
|
Scope |
This article applies to FortiSIEM.
The Rules and Reports leverage logs from other FortiNet products that can be used to detect the attack in addition to FortiGate logs.
For more information about this attack, see the following FortiGuard Outbreak Alert: https://www.fortiguard.com/outbreak-alert/prestige-ransomware |
Solution |
1) Download Fortinet_FortiSIEM_Prestige_Ransomware.zip, which is attached to this article. The .zip archive contains the following items:
- A FortiSIEM Rule to help with detection. - A FortiSIEM Report to help with historical reporting.
2) Import the reports from the FortiSIEM_Prestige_Ransomware_Report_v1.xml file contained in the .zip archive:
- Navigate to Resource/Reports.
- It is recommended to create a new group under Resource/Reports/Security called 'FortiSIEM Prestige Ransomware' and import reports to this group. - Select FortiSIEM_Prestige_Ransomware_Report_v1.xml and import it.
3) Import Rules from the FortiSIEM_Prestige_Ransomware_Rules_v1.xml file contained in the .zip archive:
- Navigate to Resource/Rules. - It is recommended to create a new group under Resource/Rules/Security/ Threat Hunting is created called 'Fortinet FortiSIEM Prestige Ransomware' and import the rules to this group. - Select Import.
FortiSIEM provides content packs for easy installation of these Rules and Reports. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.