FortiGate Administrator Login from Multiple IP Addresses

  1[metadata]
  2creation_date = "2026/01/28"
  3integration = ["fortinet_fortigate"]
  4maturity = "production"
  5updated_date = "2026/01/29"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects successful logins to the FortiGate management interface using the same Administrator account from
 11multiple distinct source IP addresses within an 24-hour period. Administrator logins from multiple locations in a short
 12time window may indicate credential sharing, compromised credentials, or unauthorized access and should be investigated.
 13"""
 14from = "now-24h"
 15interval = "5m"
 16language = "esql"
 17license = "Elastic License v2"
 18name = "FortiGate Administrator Login from Multiple IP Addresses"
 19note = """## ## Triage and Analysis
 20
 21### Investigating FortiGate Administrator Login from Multiple IP Addresses
 22
 23This alert indicates that the same **Administrator** account successfully logged in to the FortiGate management interface from **multiple distinct source IP addresses** within an 24-hour period.
 24
 25Because FortiGate administrator credentials grant full control over network security infrastructure, this behavior may indicate credential compromise, account sharing, or misuse of administrative access.
 26
 27### Investigation Steps
 28
 29- **Review the affected account**
 30  - Identify the administrator account in `source.user.name`.
 31  - Confirm whether the account is shared, personal, or service-related.
 32  - Validate whether concurrent or near-concurrent access is expected.
 33
 34- **Analyze source IP addresses**
 35  - Review the list of `source.ip` values associated with the logins.
 36  - Determine whether the IPs belong to trusted management networks, VPN pools, or jump hosts.
 37  - Investigate geolocation differences using `source.geo.country_name`.
 38
 39- **Assess timing and session behavior**
 40  - Check whether logins occurred close together in time or overlapped.
 41  - Identify whether access patterns suggest session hopping or credential reuse.
 42
 43- **Review post-authentication activity**
 44  - Examine FortiGate logs for configuration changes, policy updates, or administrative actions following the logins.
 45  - Look for additional authentication attempts (successful or failed) from the same IPs or user.
 46
 47- **Correlate with environment context**
 48  - Verify maintenance windows, incident response activity, or operational tasks that could explain the behavior.
 49  - Confirm whether administrators commonly access FortiGate via multiple networks or devices.
 50
 51### False Positive Considerations
 52
 53- Administrators connecting through VPNs with dynamic or rotating IP addresses.
 54- Access via bastion hosts, load-balanced management interfaces, or cloud-based management tools.
 55- Automation or orchestration systems using shared administrator credentials.
 56- Incident response or troubleshooting activity involving multiple access points.
 57
 58### Response and Remediation
 59
 60- **If the activity is expected**
 61  - Document the behavior and consider tuning the rule or adding exceptions for known IP ranges or accounts.
 62  - Encourage use of named accounts and centralized access paths.
 63
 64- **If the activity is suspicious**
 65  - Reset or rotate credentials for the affected administrator account.
 66  - Review FortiGate configuration changes made during the session(s).
 67  - Restrict administrative access to trusted IP ranges.
 68  - Enforce MFA for administrative logins if not already enabled.
 69  - Monitor for additional signs of lateral movement or persistence."""
 70references = [
 71    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
 72    "https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026",
 73]
 74risk_score = 73
 75rule_id = "8a556117-3f05-430e-b2eb-7df0100b4e3b"
 76severity = "high"
 77tags = [
 78    "Use Case: Threat Detection",
 79    "Tactic: Initial Access",
 80    "Resources: Investigation Guide",
 81    "Domain: Network",
 82    "Domain: Identity",
 83    "Data Source: Fortinet",
 84    "Data Source: Fortinet FortiGate",
 85]
 86timestamp_override = "event.ingested"
 87type = "esql"
 88
 89query = '''
 90FROM logs-fortinet_fortigate.*, filebeat-* metadata _id
 91
 92| WHERE event.dataset == "fortinet_fortigate.log" and
 93        event.category == "authentication" and event.action == "login" and
 94        event.outcome == "success" and source.user.roles == "Administrator" and
 95        source.user.name is not null and source.ip is not null
 96| stats Esql.logon_count = count(*),
 97        Esql.source_ip_count_distinct = COUNT_DISTINCT(source.ip),
 98        Esql.max_timestamp = MAX(@timestamp),
 99        Esql.source_ip_values = VALUES(source.ip),
100        Esql.message_values = VALUES(message),
101        Esql.source_geo_country_name_values = VALUES(source.geo.country_name) by source.user.name
102
103// last logon event timestamp is within 6m of the rule execution time to avoid duplicates
104| eval Esql.recent = DATE_DIFF("minute", Esql.max_timestamp, now())
105| where Esql.recent <= 6 and Esql.logon_count >= 2 and Esql.source_ip_count_distinct >= 2
106
107// move dynamic fields to ECS equivalent for rule exceptions
108| eval source.ip = MV_FIRST(Esql.source_ip_values)
109
110| keep source.ip, source.user.name, Esql.*
111'''
112
113
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1078"
118name = "Valid Accounts"
119reference = "https://attack.mitre.org/techniques/T1078/"
120
121
122[rule.threat.tactic]
123id = "TA0001"
124name = "Initial Access"
125reference = "https://attack.mitre.org/tactics/TA0001/"