UTMSTACK logoUTMSTACK logo
Fortinet FortiGate

Detection rules for FortiGate data sources. Each rule includes its MITRE ATT&CK mapping, impact rating, and a description of what it detects.

This category contains 7 detection rules.

RuleCategoryTechniqueImpact (C/I/A)
Admin Account Compromise IndicatorsDefense Evasion, Persistence, Privilege Escalation, Initial AccessT1078 - Valid AccountsC:3 / I:3 / A:2
Data Loss Prevention TriggerExfiltrationT1048 - Exfiltration Over Alternative ProtocolC:3 / I:2 / A:1
FortiGate Admin Login from Unusual SourceInitial AccessT1078 - Valid AccountsC:3 / I:2 / A:1
FortiGate VPN Authentication Brute ForceCredential AccessT1133 - External Remote ServicesC:3 / I:2 / A:1
FortiSandbox Malicious File DetectionExecutionT1204 - User ExecutionC:3 / I:3 / A:2
Fortinet Antivirus Malware Outbreak DetectionInitial AccessT1566 - PhishingC:3 / I:3 / A:2
Fortinet IPS Critical Severity DetectionExecutionT1203 - Exploitation for Client ExecutionC:3 / I:3 / A:2

Rule Example

Below is an example of a rule definition for Admin Account Compromise Indicators (view in repository):

# Rule version v1.0.0

dataTypes:
  - firewall-fortigate-traffic
name: Admin Account Compromise Indicators
impact:
  confidentiality: 3
  integrity: 3
  availability: 2
category: Defense Evasion, Persistence, Privilege Escalation, Initial Access
technique: "T1078 - Valid Accounts"
adversary: origin
references:
  - https://attack.mitre.org/techniques/T1078/
  - https://docs.fortinet.com/document/fortigate/7.4.1/fortios-log-message-reference/160372/list-of-log-types-and-subtypes
description: |
  Detects multiple failed admin login attempts followed by a successful login from the same IP address, indicating potential account compromise through credential stuffing or brute force attacks.

  Next Steps:
  1. Review the source IP address and check if it's from an expected location
  2. Contact the admin user to verify if the login was legitimate
  3. Check for any suspicious activities performed after the successful login
  4. Review other authentication logs from the same IP address
  5. Consider implementing IP-based access controls for admin accounts
  6. Enable multi-factor authentication if not already configured
  7. Reset the compromised admin account password if unauthorized access is confirmed
where: |
  equals("log.logid", "0100032001") && 
  equals("log.type", "event") && 
  equals("log.subtype", "system") && 
  equals("log.logdesc", "Admin login successful") && 
  exists("origin.ip") &&
  exists("log.user")
afterEvents:
  - indexPattern: v11-log-firewall-fortigate-traffic-*
    with:
      - field: origin.ip
        operator: filter_term
        value: '{{.origin.ip}}'
      - field: log.logdesc
        operator: filter_term
        value: 'Admin login failed'
      - field: log.user
        operator: filter_term
        value: '{{.log.user}}'
    within: now-15m
    count: 5
groupBy:
  - adversary.ip
  - target.user

Rule Details

Admin Account Compromise Indicators

Detects multiple failed admin login attempts followed by a successful login from the same IP address, indicating potential account compromise through credential stuffing or brute force attacks.

Data Loss Prevention Trigger

Detects attempts to exfiltrate sensitive data that triggers DLP policies. This includes detection of credit card numbers, social security numbers, PII, financial records, and other regulated data attempting to leave the network.

FortiGate Admin Login from Unusual Source

Detects FortiGate admin logins from unusual or external IP addresses. Successful administrative access from non-management networks may indicate credential compromise.

FortiGate VPN Authentication Brute Force

Detects multiple SSL-VPN or IPsec VPN authentication failures from the same source IP on FortiGate, indicating brute force or credential stuffing attacks against remote access services.

FortiSandbox Malicious File Detection

Detects when FortiSandbox identifies a file as malicious based on behavioral analysis and static scanning. This indicates active malware attempting to infiltrate the network through file transfers or downloads.

Fortinet Antivirus Malware Outbreak Detection

Detects potential malware outbreak when multiple antivirus detections occur from the same source or targeting multiple destinations in a short time period. This could indicate a widespread infection attempt or a compromised system attempting to spread malware.

Fortinet IPS Critical Severity Detection

Detects critical severity IPS events indicating active exploitation attempts or severe security threats targeting the network.