In light of the recent cyberattack on the SolarWinds Orion platform, we have immediately devised a few ways to help you alleviate this delicate situation.
First of all, we highly advise all our clients that use our SolarWinds connector to update their Orion platform and take all mitigation measures as recommended by the Security Advisory issued by SolarWinds. In the next release of RightITnow ECM, the connector will automatically raise a critical alert should it connect to an Orion instance whose version is affected by these vulnerabilities.
Second, we are providing a rule-pack which checks for potential future incoming alerts from any source system, for references to currently known IOCs (IP addresses, domains and DLL names/hashes) related to the Sunburst and Supernova exploits. Alerts matching the rules will have their severity changed to Critical and can be viewed in the Alerts Console.
Finally, we are providing a filter-pack to detect existing alerts that might have been generated from any source system, for references to the same IOCs mentioned above.
We hope that these few simple steps will help you in case you are faced with these breaches.
To download and install the rule-pack:
- Download and unzip the file sunburst_detection_rules_v1.zip (SHA1 sum: 973b885c596b79f8ecc5c97734f7c76a5e02d1b0)
- Login to your ECM and navigate to the Correlations tab.
- Click the Import button in the bottom toolbar:
- Select the sunburst_detection_rules_v1.xml file.
- You should see 7 new rules under the Upon Event Arrival grouping of rules. Select and deploy them using the Deploy button:
- The rules can be changed to suit your monitoring and business needs.
To download and install the filter-pack:
- Download and unzip the file sunburst_detection_filters_v1.zip (SHA1 sum: b8b1f0a16c735fe58e466462ee297a22726a7399)
- Login to your ECM and navigate to the Configuration –> Manage Alert Filters tab.
- Click the Import button in the bottom toolbar:
- Select the sunburst_detection_filters_v1.xml file.
- Navigate to the Alerts Console and you should see 7 new filters in the filters selection dropdown. Select any of the filters to apply them.