FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
keithli_FTNT
Staff
Staff
Article Id 194307
Description
This article describes how to use custom Rules and Report in FortiSIEM to detect attack attempts to exploit a Buffer Overflow Vulnerability in F5 BIG-IP Traffic Management Microkernel (TMM).

The exploit targets these vulnerabilities:
  • CVE-2021-22991
  • CVE-2021-22986
  • CVE-2021-22992

For more information about this attack, see the following FortiGuard Threat Signal Report:
Observed in the Wild Exploitation of F5 BIG-IP Remote Command Execution Vulnerability (CVE-2021-2298...

What is included in Fortinet_FortiSIEM-F5-BIG-IP-Detection_v2.zip?

1. F5-BIG-IP_Report_v2.xml
The report can be ran on historical data looking for FortiGate and FortiProxy IPS Signatures associated with the attack.

2. F5-BIG-IP _Rule_v2.xml
The rule will detect the FortiGate and FortiProxy IPS Signatures associated with the attack.

See the Solution section for instruction on how to load these into a FortiSIEM



Scope
The custom Rules and Reports can be loaded into FortiSIEM 5.x and 6.x versions.

Solution
All screen shots provided below for illustration purposes are taken from FortiSIEM 6.x

1. Download the Fortinet_FortiSIEM-F5-BIG-IP-Detection_v2.zip file (contains 2 file)

2. Unzip Fortinet_FortiSIEM-F5-BIG-IP-Detection_v2.zip

3. Use F5-BIG-IP_Report_v2.xml as the file to import the Reports
  a. Navigate to Resource / Reports
  b. It is recommended that a new group under Resource / Reports / Security is created called “F5-BIG-IP” and reports are imported to this group.
  c. Select the Import option under "More"
  d. Select F5-BIG-IP_Report_v2.xml and import.

4. Use F5-BIG-IP_Rule_v2.xml as the file to import the Rules
  a. Navigate to Resource / rules
  b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “F5-BIG-IP” and rules are imported to this group.
  c. Click the Import
  d. Select F5-BIG-IP_Rules_v2.xml and import.
  e. Filter the rules on F5-BIG-IP and ensure that they are Enabled.


Imported and enabled Rules
FSM-imported&enabled-rules.png

Imported Reports
FSM-imported-report-F5.png

Example Incident
FSM-example-incident.png



Contributors