FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
keithli_FTNT
Staff
Staff
Article Id 197522
Description
This article describes how to use custom Rules and Reports to detect activity that may be related to "Sunburst" backdoor software in a compromised SolarWind’s Orion IT monitoring and management software update system.

For more information on this hack, see the Fortinet blog post:
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack | FortiGuard labs

What is included in Fortinet_FortiSIEM-Sunburst-Detection_v2.zip?

1. SUNBURST_Report_v2.xml
The reports can be ran on historical data looking for indicators associated with Sunburst.

2. SUNBURST_Rule_v2.xml
The Rules will detect indicators relating to the Sunburst backdoor.
 
See the Solution section for instruction on how to load these into a FortiSIEM


Scope


Solution
All screen shots provided below for illustration purposes are taken from FortiSIEM 6.x

1. Download the Fortinet_FortiSIEM-Sunburst-Detection_2.zip file (contains 2 file)
2. Unzip Fortinet_FortiSIEM-Sunburst-Detection_2.zip

3. Use SUNBURST_Report_v2.xml as the file to import the Reports
    a. Navigate to Resource / Reports
    b. It is recommended that a new group under Resource / Reports / Security is created called “SUNBURST Attack” and reports are imported to this group.
    c. Select the Import option under "More"
    d. Select SUNBURST _Report_v2.xml and import.

4. Use SUNBURST _Rule_v2.xml as the file to import the Rules
    a. Navigate to Resource / rules
    b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “SUNBURST Attack” and rules are imported to this group.
    c. Click the Import
    d. Select SUNBURST _Rules_v2.xml and import.
    e. Filter the rules on SUNBURST and ensure that they are Enabled.

Imported and enabled Rules
ImportedEnabledRules.png

Imported Reports
ImportedReportsSunburst.png

Related Articles

How to use FortiAnalyzer to detect a “Sunburst”/SolarWinds Hack

Contributors