Description This article describes how to use custom Rules and Reports to detect activity that may be related to "Sunburst" backdoor software in a compromised SolarWind’s Orion IT monitoring and management software update system.
3. Use SUNBURST_Report_v2.xml as the file to import the Reports a. Navigate to Resource / Reports b. It is recommended that a new group under Resource / Reports / Security is created called “SUNBURST Attack” and reports are imported to this group. c. Select the Import option under "More" d. Select SUNBURST _Report_v2.xml and import.
4. Use SUNBURST _Rule_v2.xml as the file to import the Rules a. Navigate to Resource / rules b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “SUNBURST Attack” and rules are imported to this group. c. Click the Import d. Select SUNBURST _Rules_v2.xml and import.
e. Filter the rules on SUNBURST and ensure that they are Enabled.