Sunburst APT - FortiSIEM Forensic Reports

  • 1.  Sunburst APT - FortiSIEM Forensic Reports

    Posted Dec 21, 2020 11:16 AM
      |   view attached

    As you're no doubt aware, the recently discovered Sunburst hack of Solarwinds tools has caused extreme consternation. Many users will be wondering if Sunburst has been active in their network. For this attack, there are numerous indicators of compromise (IOCs), a number of which I've tried to capture in the attached FortiSIEM reports.

    Who can use it

    So far, it seems that Sunburst effects the SolarWinds Orion tool, so shops using this tool ought to look for IOCs. Anyone who needs a means of searching for IOCs in the event history can make use of these reports.

    How it works

    Import the attached XML file into FortiSIEM reports, perhaps first creating a custom directory to hold the 4 reports.

    These reports scan historical events (based on a user-selected timeframe) for host names & IPs known to be associated with Sunburst. Any results shown in these reports will show communication to or from hosts associated with this attack.

    There are two sets of reports, one for inbound, another for outbound activity. This is done for legibility.
    There are also two versions of in & outbound. They show the same data, but one version searches using a 'contains' operator and is the more exhaustive, but perhaps longer running query. If you choose to run the exhaustive reports, there's no reason to run the quicker ones.

    I imagine the outbound activity reports may be more likely to find suspicious events, but I haven't had the opportunity to try this yet on a network with a compromised instance of SolarWinds Orion.


    These reports should be considered a basic means of looking for Sunburst activity. They're not exhaustive; if no results are shown, an infection could still be present. Since Sunburst operates as an APT, these reports should be run across many weeks or months of event history, keeping in mind they may take some time to run.