Newly Observed FortiGate Alert

 1[metadata]
 2creation_date = "2026/01/21"
 3integration = ["fortinet_fortigate"]
 4maturity = "production"
 5updated_date = "2026/02/18"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects FortiGate alerts that are observed for the first time in the previous 5 days of alert history.
11Analysts can use this to prioritize triage and response.
12"""
13from = "now-7205m"
14interval = "5m"
15language = "esql"
16license = "Elastic License v2"
17name = "Newly Observed FortiGate Alert"
18risk_score = 99
19rule_id = "2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854"
20severity = "critical"
21tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule", "Resources: Investigation Guide", "Domain: Network", "Data Source: Fortinet"]
22timestamp_override = "event.ingested"
23type = "esql"
24
25query = '''
26FROM logs-fortinet_fortigate.*, filebeat-* metadata _id
27
28| WHERE event.module == "fortinet_fortigate" and event.action in ("signature", "ssl-anomaly") and
29  message is not null and event.category != "authentication" and
30  message != "Connection Failed" and not message like "Web.Client: *" and
31  not message like "Network.Service: *" and not message like "General.Interest*" and not message like "Update: *" and
32  not message like "tcp_reassembler*" and not message like "a-ipdf*" and not message like "Video*" and not message like "nbss_decode*" and
33  not message like "name_server*" and not message like "misc*" and not message like "Collaboration*" and not message like "Business*" and
34  not message like "Cloud.IT*" and not message like "Mobile*"
35
36| STATS Esql.alerts_count = count(*),
37        Esql.first_time_seen = MIN(@timestamp),
38        Esql.distinct_count_src_ip = COUNT_DISTINCT(source.ip),
39        Esql.distinct_count_dst_ip = COUNT_DISTINCT(destination.ip),
40        src_ip = VALUES(source.ip),
41        dst_ip = VALUES(destination.ip),
42        url_domain = VALUES(url.domain),
43        url_path = VALUES(url.path) by message, event.category, event.outcome
44
45// first time seen is within 10m of the rule execution time
46| eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
47| where Esql.recent <= 10 and Esql.alerts_count <= 5 and Esql.distinct_count_src_ip <= 2 and Esql.distinct_count_dst_ip <= 2
48
49// move dynamic fields to ECS equivalent for rule exceptions
50| eval source.ip = MV_FIRST(src_ip),
51       destination.ip = MV_FIRST(dst_ip),
52       url.domain = MV_FIRST(url_domain),
53       url.path = MV_FIRST(url_path)
54
55| keep message, event.category, event.outcome, Esql.*, source.ip, destination.ip, url.domain, url.path
56'''
57note = """## Triage and analysis
58
59### Investigating Newly Observed Fortigate Alert
60
61This rule surfaces newly observed, low-frequency high severity FortiGate alerts within the last 5 days.
62
63Because the alert has not been seen previously, it should be prioritized for validation to determine whether it represents a true compromise or rare benign activity.
64
65### Investigation Steps
66
67- Identify the source address, affected host and review the associated message to understand the alert.
68- Validate the source address under which the activity occurred and assess whether it aligns with normal behavior.
69- Refer to the specific alert details like event.original to get more context.
70
71### False Positive Considerations
72
73- Vulnerability scanners and pentesting.
74- Administrative scripts or automation tools can trigger detections when first introduced.
75- Development or testing environments may produce one-off behaviors that resemble malicious techniques.
76
77### Response and Remediation
78
79- If the activity is confirmed malicious, isolate the affected host to prevent further execution or lateral movement.
80- Terminate malicious processes and remove any dropped files or persistence mechanisms.
81- Collect forensic artifacts to understand initial access and execution flow.
82- Patch or remediate any vulnerabilities or misconfigurations that enabled the behavior.
83- If benign, document the finding and consider tuning or exception handling to reduce future noise.
84- Continue monitoring the host and environment for recurrence of the behavior or related alerts."""
85references = ["https://www.elastic.co/docs/reference/integrations/fortinet_fortigate"]