FortiGate Configuration File Downloaded

 1[metadata]
 2creation_date = "2026/01/28"
 3integration = ["fortinet_fortigate"]
 4maturity = "production"
 5updated_date = "2026/01/28"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects the download of a FortiGate device configuration file. Configuration exports contain sensitive data
11including administrator password hashes, LDAP bind credentials, VPN pre-shared keys, routing tables, and firewall
12policies. Threat actors exploiting CVE-2026-24858 have been observed exporting the full device configuration
13immediately after gaining access to harvest credentials and map the internal network.
14"""
15from = "now-9m"
16interval = "5m"
17index = ["logs-fortinet_fortigate.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "FortiGate Configuration File Downloaded"
21note = """## Triage and analysis
22
23### Investigating FortiGate Configuration File Downloaded
24
25This alert indicates that a FortiGate device configuration file was downloaded. Configuration files contain highly sensitive information including administrator credentials, LDAP/RADIUS secrets, VPN pre-shared keys, certificate private keys, and the complete network topology.
26
27In the FG-IR-26-060 campaign, threat actors exported the full device configuration shortly after creating rogue administrator accounts, using the harvested credentials for lateral movement and to maintain access through alternative channels.
28
29### Possible investigation steps
30
31- Review `source.user.name` to determine which account initiated the download and `fortinet.firewall.ui` for the source interface and IP address (e.g., GUI, CLI, or API). Verify whether this administrator is authorized to export device configurations.
32- Check whether a scheduled backup process or configuration management tool performed this action. Look for preceding SSO login events or administrator account creation events on the same device and determine whether the downloading account was recently created.
33- Check `observer.name` to identify which device had its configuration exported and search for configuration download events across other FortiGate devices in the fleet.
34- Check for firewall policy changes, VPN configuration modifications, or additional admin account creation after the download. Determine whether any credentials from the configuration have been used for lateral movement.
35
36### False positive analysis
37
38- Scheduled configuration backups performed by FortiManager, Ansible, or other automation tools.
39- Administrator-initiated backups during planned maintenance or before firmware upgrades.
40- Configuration audits or compliance checks that require config export.
41
42### Response and remediation
43
44- If unauthorized, treat all credentials in the configuration as compromised. Rotate all passwords, pre-shared keys, LDAP bind credentials, and RADIUS secrets contained in the configuration.
45- Revoke and reissue any certificates whose private keys were included in the export.
46- Audit the administrator account that performed the download for compromise and check for other indicators of compromise on the device (rogue admins, policy changes).
47- If the activity is expected, document the backup activity and verify it was performed through an authorized process. Ensure configuration backups are stored securely with appropriate access controls."""
48references = [
49    "https://www.fortiguard.com/psirt/FG-IR-26-060",
50    "https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios",
51    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
52    "https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026",
53]
54risk_score = 47
55rule_id = "b7e2a04d-4f8a-4e12-8c9a-1d5e6f7a8b9c"
56severity = "medium"
57tags = [
58    "Use Case: Threat Detection",
59    "Tactic: Collection",
60    "Resources: Investigation Guide",
61    "Domain: Network",
62    "Data Source: Fortinet",
63    "Data Source: Fortinet FortiGate",
64]
65timestamp_override = "event.ingested"
66type = "eql"
67
68query = '''
69any where event.dataset == "fortinet_fortigate.log" and
70    event.code == "0100032095" and
71    fortinet.firewall.action == "download"
72'''
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1602"
79name = "Data from Configuration Repository"
80reference = "https://attack.mitre.org/techniques/T1602/"
81[[rule.threat.technique.subtechnique]]
82id = "T1602.002"
83name = "Network Device Configuration Dump"
84reference = "https://attack.mitre.org/techniques/T1602/002/"
85
86
87
88[rule.threat.tactic]
89id = "TA0009"
90name = "Collection"
91reference = "https://attack.mitre.org/tactics/TA0009/"