FortiGate Configuration File Downloaded

  1[metadata]
  2creation_date = "2026/01/28"
  3integration = ["fortinet_fortigate"]
  4maturity = "production"
  5updated_date = "2026/04/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects the download of a FortiGate device configuration file. Configuration exports contain sensitive data
 11including administrator password hashes, LDAP bind credentials, VPN pre-shared keys, routing tables, and firewall
 12policies. Threat actors exploiting CVE-2026-24858 have been observed exporting the full device configuration
 13immediately after gaining access to harvest credentials and map the internal network.
 14"""
 15from = "now-9m"
 16interval = "5m"
 17index = ["logs-fortinet_fortigate.*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "FortiGate Configuration File Downloaded"
 21note = """## Triage and analysis
 22
 23### Investigating FortiGate Configuration File Downloaded
 24
 25This alert indicates that a FortiGate device configuration file was downloaded. Configuration files contain highly sensitive information including administrator credentials, LDAP/RADIUS secrets, VPN pre-shared keys, certificate private keys, and the complete network topology.
 26
 27In the FG-IR-26-060 campaign, threat actors exported the full device configuration shortly after creating rogue administrator accounts, using the harvested credentials for lateral movement and to maintain access through alternative channels.
 28
 29### Possible investigation steps
 30
 31- Review `source.user.name` to determine which account initiated the download and `fortinet.firewall.ui` for the source interface and IP address (e.g., GUI, CLI, or API). Verify whether this administrator is authorized to export device configurations.
 32- Check whether a scheduled backup process or configuration management tool performed this action. Look for preceding SSO login events or administrator account creation events on the same device and determine whether the downloading account was recently created.
 33- Check `observer.name` to identify which device had its configuration exported and search for configuration download events across other FortiGate devices in the fleet.
 34- Check for firewall policy changes, VPN configuration modifications, or additional admin account creation after the download. Determine whether any credentials from the configuration have been used for lateral movement.
 35
 36### False positive analysis
 37
 38- Scheduled configuration backups performed by FortiManager, Ansible, or other automation tools.
 39- Administrator-initiated backups during planned maintenance or before firmware upgrades.
 40- Configuration audits or compliance checks that require config export.
 41
 42### Response and remediation
 43
 44- If unauthorized, treat all credentials in the configuration as compromised. Rotate all passwords, pre-shared keys, LDAP bind credentials, and RADIUS secrets contained in the configuration.
 45- Revoke and reissue any certificates whose private keys were included in the export.
 46- Audit the administrator account that performed the download for compromise and check for other indicators of compromise on the device (rogue admins, policy changes).
 47- If the activity is expected, document the backup activity and verify it was performed through an authorized process. Ensure configuration backups are stored securely with appropriate access controls."""
 48references = [
 49    "https://www.fortiguard.com/psirt/FG-IR-26-060",
 50    "https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios",
 51    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
 52    "https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026",
 53]
 54risk_score = 47
 55rule_id = "b7e2a04d-4f8a-4e12-8c9a-1d5e6f7a8b9c"
 56severity = "medium"
 57tags = [
 58    "Use Case: Threat Detection",
 59    "Tactic: Collection",
 60    "Tactic: Credential Access",
 61    "Resources: Investigation Guide",
 62    "Domain: Network",
 63    "Data Source: Fortinet",
 64    "Data Source: Fortinet FortiGate",
 65]
 66timestamp_override = "event.ingested"
 67type = "eql"
 68
 69query = '''
 70any where data_stream.dataset == "fortinet_fortigate.log" and
 71    event.code == "0100032095" and
 72    fortinet.firewall.action == "download"
 73'''
 74
 75
 76[[rule.threat]]
 77framework = "MITRE ATT&CK"
 78
 79[[rule.threat.technique]]
 80id = "T1602"
 81name = "Data from Configuration Repository"
 82reference = "https://attack.mitre.org/techniques/T1602/"
 83
 84[[rule.threat.technique.subtechnique]]
 85id = "T1602.002"
 86name = "Network Device Configuration Dump"
 87reference = "https://attack.mitre.org/techniques/T1602/002/"
 88
 89[rule.threat.tactic]
 90id = "TA0009"
 91name = "Collection"
 92reference = "https://attack.mitre.org/tactics/TA0009/"
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96
 97[[rule.threat.technique]]
 98id = "T1552"
 99name = "Unsecured Credentials"
100reference = "https://attack.mitre.org/techniques/T1552/"
101
102[[rule.threat.technique.subtechnique]]
103id = "T1552.001"
104name = "Credentials In Files"
105reference = "https://attack.mitre.org/techniques/T1552/001/"
106
107[rule.threat.tactic]
108id = "TA0006"
109name = "Credential Access"
110reference = "https://attack.mitre.org/tactics/TA0006/"