FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
keithli_FTNT
Staff
Staff
Article Id 196598
Description
This article describes how to use a custom Rules and Reports in FortiSIEM to detect activities related to Microsoft's Printnightmare vulnerability. This Windows Print Spooler remote code execution vulnerability is assigned CVE-2021-34527.

For more information on the threat, also see the FortiGuard Lab Threat Signal Report:

This FortiSIEM Reports and Rules help identify indicators detected by FortiGate's and FortiClient's IPS and Endpoint Vulnerability signatures. Logs triggering the event handler are generated from FortiGate and FortiClient. Therefore, it is highly advisable to keep AV, IPS and Endpoint Vulnerability signatures up to date on applicable products such as FortiGate and FortiClient in order to prevent and log attacks to exploit the vulnerability.

Signatures are added, but not limited, to the following signature packages:
Endpoint Vuln Protection 1.250 - various Microsoft Updates for Windows
Endpoint Vuln Protection 1.251 - various Microsoft Updates for Windows

What is included in Fortinet_FortiSIEM_SOC-Printnightmare-Detection.zip?

1. Printnightmare-Reports_v1.xml
The reports can be ran on historical data looking for indicators associated with Printnightmare.

2. Printnightmare-Rules_v1.xml
The Rules will detect indicators associated with Printnightmare in real time.

See the Solution section for instruction on how to load these into a FortiSIEM


Scope
The custom Rules and Reports can be loaded into FortiSIEM 6.x versions.

Solution
All screen shots provided below for illustration purposes are taken from FortiSIEM 6.x

1. Download the Fortinet_FortiSIEM_SOC-Printnightmare-Detection.zip file (contains 2 file)

2. Unzip Fortinet_FortiSIEM_SOC-Printnightmare-Detection.zip

3. Use Printnightmare_Report_v1.xml as the file to import the Reports
    a. Navigate to Resource / Reports
    b. It is recommended that a new group under Resource / Reports / Security is created called “Printnightmare Attack” and reports are imported to this group.
    d. Select the Import option under "More"
    e. Select Printnightmare_Report_v1.xml and import.

4. Use Printnightmare_Rules_v1.xml as the file to import the Rules
    a. Navigate to Resource / rules
    b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “Printnightmare Attack” and rules are imported to this group.
    d. Click the Import
    e. Select Printnightmare_Rules_v1.xml and import.
    f. Filter the rules on Printnightmare and ensure that they are Enabled.

Imported and enabled Rules
FSM-Printnightmare-Rules.png

Imported Reports
FSM-Printnightmare-Reports.png



Contributors