DescriptionThis article describes how to use custom Rules and Reports to detect activity that may be related to "Sunburst" backdoor software in a compromised SolarWind’s Orion IT monitoring and management software update system.For more information on this hack, see the Fortinet blog post:What We Have Learned So Far about the “Sunburst”/SolarWinds Hack | FortiGuard labsWhat is included in Fortinet_FortiSIEM-Sunburst-Detection_v2.zip?1. SUNBURST_Report_v2.xmlThe reports can be ran on historical data looking for indicators associated with Sunburst.
2. SUNBURST_Rule_v2.xml
The Rules will detect indicators relating to the Sunburst backdoor. See the Solution section for instruction on how to load these into a FortiSIEM
Scope
SolutionAll screen shots provided below for illustration purposes are taken from FortiSIEM 6.x 1. Download the Fortinet_FortiSIEM-Sunburst-Detection_2.zip file (contains 2 file)2. Unzip Fortinet_FortiSIEM-Sunburst-Detection_2.zip3. Use SUNBURST_Report_v2.xml as the file to import the Reports a. Navigate to Resource / Reports b. It is recommended that a new group under Resource / Reports / Security is created called “SUNBURST Attack” and reports are imported to this group. c. Select the Import option under "More" d. Select SUNBURST _Report_v2.xml and import.4. Use SUNBURST _Rule_v2.xml as the file to import the Rules a. Navigate to Resource / rules b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “SUNBURST Attack” and rules are imported to this group. c. Click the Import d. Select SUNBURST _Rules_v2.xml and import. e. Filter the rules on SUNBURST and ensure that they are Enabled.
Imported and enabled Rules
Imported Reports
Related Articles
How to use FortiAnalyzer to detect a “Sunburst”/SolarWinds Hack