FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
keithli_FTNT
Staff
Staff
Article Id 194491
Description
This article describes how to use custom Rules and Reports to detect activities that may be related to Microsoft Exchange vulnerabilities exploited by HAFNIUM.

For more information on the vulnerabilities being exploited, see the FortiGuard Lab Threat Signal Report:
Out of Band Patches Released for Active Exploitation of Microsoft Exchange Server

What is included in Fortinet_FortiSIEM-MS-Exchange-Attack-Detection.zip?

1) HAFNIUM_Report_v1.xml
The reports can be ran on historical data looking for indicators targeting the vulnerability.
The Reports “HAFNIUM Infected File Detected by FortiGate” and “HAFNIUM FortiGate IPS Signature Match”  identify exploits on MS.Exchange server vulnerabilities detected by IPS (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

2) HAFNIUM_Rule_v1.xml
The Rules will detect indicators targeting the vulnerability in real time.
The Rules “HAFNIUM FortiGate Permitted IPS Event” and “HAFNIUM Infected File Detected by FortiGate”  identify exploits on MS.Exchange server vulnerabilities detected by IPS (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

See the Solution section for instruction on how to load these into a FortiSIEM


Scope

Solution
All screen shots provided below for illustration purposes are taken from FortiSIEM 6.x

1) Download the Fortinet_FortiSIEM-MS-Exchange-Attack-Detection.zip file (contains 2 file)

2) Unzip Fortinet_FortiSIEM-MS-Exchange-Attack-Detection.zip


3) Use HAFNIUM_Report_v1.xml as the file to import the Reports
    a. Navigate to Resource / Reports
    b. It is recommended that a new group under Resource / Reports / Security is created called “HAFNIUM Attack” and reports are imported to this group.
    c. Select the Import option under "More"
    d. Select HAFNIUM_Report_v1.xml and import.

4) Use HAFNIUM_Rule_v1.xml as the file to import the Rules
    a. Navigate to Resource / rules
    b. It is recommended that a new group under Resource / Rules / Security / Threat Hunting is created called “HAFNIUM Attack” and rules are imported to this group.
    c. Click the Import
    d. Select HAFNIUM_Rules_v1.xml and import.
    e. Filter the rules on HAFNIUM and ensure that they are Enabled.

Imported and enabled Rules
Imported&enabledRules.png 

Imported Reports
ImportedReports.png

Related Articles

Technical Tip: How to use FortiAnalyzer to detect activities related Microsoft Exchange vulnerabilit...

Contributors