FortiGate SSL VPN Login Followed by SIEM Alert by User

 1[metadata]
 2creation_date = "2026/02/20"
 3integration = ["fortinet_fortigate"]
 4maturity = "production"
 5updated_date = "2026/03/09"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a
11short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise
12used from a VPN session, or initial access via VPN followed by post-compromise behavior.
13"""
14from = "now-9m"
15index = ["logs-fortinet_fortigate.log-*", ".alerts-security.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "FortiGate SSL VPN Login Followed by SIEM Alert by User"
19references = [
20    "https://attack.mitre.org/tactics/TA0001/",
21    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
22]
23risk_score = 47
24rule_id = "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e"
25severity = "medium"
26tags = [
27    "Use Case: Threat Detection",
28    "Rule Type: Higher-Order Rule",
29    "Tactic: Initial Access",
30    "Data Source: Fortinet",
31    "Resources: Investigation Guide",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37sequence by user.name with maxspan=10m
38 [authentication where event.dataset == "fortinet_fortigate.log" and event.action == "login" and event.code in ("0101039426", "0101039427") and
39  user.name != "root"]
40 [any where event.kind == "signal" and kibana.alert.rule.name != null and event.dataset != "fortinet_fortigate.log" and
41  kibana.alert.risk_score > 21 and kibana.alert.rule.rule_id != "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e" and user.name != null]
42'''
43note = """## Triage and analysis
44
45### Investigating FortiGate SSL VPN Login Followed by SIEM Alert by User
46
47This rule correlates a FortiGate SSL VPN login with a subsequent security alert for the same user name, highlighting possible abuse of VPN access or activity shortly after remote access.
48
49### Possible investigation steps
50
51- Review the FortiGate login event (source IP, user, time) and the SIEM alert(s) that followed for the same user.
52- Determine whether the user is expected to use VPN and whether the subsequent alert is related to legitimate work (e.g. admin tools, updates).
53- Check for other alerts or logins for the same user in the same time window to assess scope.
54- Correlate with authentication logs to identify impossible travel or credential reuse from the VPN session.
55
56### False positive analysis
57
58- Legitimate VPN users triggering detections (e.g. scripted tasks, admin tooling) after login.
59- Security scans or automated jobs that run in the context of a VPN-authenticated user.
60
61### Response and remediation
62
63- If abuse or compromise is suspected, disable or reset the user’s VPN access and credentials.
64- Investigate the host and process associated with the SIEM alert.
65- Escalate to the security or incident response team if the alert indicates malicious activity.
66"""
67
68
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1078"
73name = "Valid Accounts"
74reference = "https://attack.mitre.org/techniques/T1078/"
75
76
77[rule.threat.tactic]
78id = "TA0001"
79name = "Initial Access"
80reference = "https://attack.mitre.org/tactics/TA0001/"```