FortiGate SSL VPN Login Followed by SIEM Alert by User

 1[metadata]
 2creation_date = "2026/02/20"
 3integration = ["fortinet_fortigate"]
 4maturity = "production"
 5updated_date = "2026/02/20"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a
11short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise
12used from a VPN session, or initial access via VPN followed by post-compromise behavior.
13"""
14from = "now-9m"
15index = ["logs-fortinet_fortigate.log-*", ".alerts-security.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "FortiGate SSL VPN Login Followed by SIEM Alert by User"
19references = [
20    "https://attack.mitre.org/tactics/TA0001/",
21    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
22]
23risk_score = 47
24rule_id = "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e"
25severity = "medium"
26tags = [
27    "Use Case: Threat Detection",
28    "Rule Type: Higher-Order Rule",
29    "Tactic: Initial Access",
30    "Data Source: Fortinet",
31    "Resources: Investigation Guide",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37sequence by user.name with maxspan=10m
38 [authentication where event.dataset == "fortinet_fortigate.log" and event.action == "login" and event.code in ("0101039426", "0101039427")]
39 [any where event.kind == "signal" and kibana.alert.rule.name != null and event.dataset != "fortinet_fortigate.log" and
40  kibana.alert.risk_score > 21 and kibana.alert.rule.rule_id != "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e" and user.name != null]
41'''
42note = """## Triage and analysis
43
44### Investigating FortiGate SSL VPN Login Followed by SIEM Alert by User
45
46This rule correlates a FortiGate SSL VPN login with a subsequent security alert for the same user name, highlighting possible abuse of VPN access or activity shortly after remote access.
47
48### Possible investigation steps
49
50- Review the FortiGate login event (source IP, user, time) and the SIEM alert(s) that followed for the same user.
51- Determine whether the user is expected to use VPN and whether the subsequent alert is related to legitimate work (e.g. admin tools, updates).
52- Check for other alerts or logins for the same user in the same time window to assess scope.
53- Correlate with authentication logs to identify impossible travel or credential reuse from the VPN session.
54
55### False positive analysis
56
57- Legitimate VPN users triggering detections (e.g. scripted tasks, admin tooling) after login.
58- Security scans or automated jobs that run in the context of a VPN-authenticated user.
59
60### Response and remediation
61
62- If abuse or compromise is suspected, disable or reset the user’s VPN access and credentials.
63- Investigate the host and process associated with the SIEM alert.
64- Escalate to the security or incident response team if the alert indicates malicious activity.
65"""
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1078"
72name = "Valid Accounts"
73reference = "https://attack.mitre.org/techniques/T1078/"
74
75
76[rule.threat.tactic]
77id = "TA0001"
78name = "Initial Access"
79reference = "https://attack.mitre.org/tactics/TA0001/"```