FortiGate FortiCloud SSO Login from Unusual Source

  1[metadata]
  2creation_date = "2026/01/28"
  3integration = ["fortinet_fortigate"]
  4maturity = "production"
  5updated_date = "2026/01/28"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects the first successful FortiCloud SSO login from a previously unseen source IP address to a FortiGate
 11device within the last 5 days. FortiCloud SSO logins from new source IPs may indicate exploitation of SAML-based
 12authentication bypass vulnerabilities such as CVE-2026-24858, where crafted SAML assertions allow unauthorized access to
 13FortiGate devices registered to other accounts. Environments that regularly use FortiCloud SSO will only alert on new
 14source IPs not seen in the lookback window.
 15"""
 16from = "now-7205m"
 17interval = "5m"
 18language = "esql"
 19license = "Elastic License v2"
 20name = "FortiGate FortiCloud SSO Login from Unusual Source"
 21note = """## Triage and analysis
 22
 23### Investigating FortiGate FortiCloud SSO Login from Unusual Source
 24
 25This alert indicates that a FortiCloud SSO login was observed from a source IP address not previously seen authenticating via SSO in the last 5 days. This is a high-value signal because it filters out routine SSO access from known management IPs and only fires on novel source addresses.
 26
 27CVE-2026-24858 (FG-IR-26-060) allows attackers with a FortiCloud account and a registered device to craft SAML assertions that authenticate them as administrators on other FortiGate devices when FortiCloud SSO is enabled. This vulnerability has been actively exploited in the wild.
 28
 29### Possible investigation steps
 30
 31- Check `source.ip` against known corporate management networks, VPN egress points, and jump hosts. Investigate the IP's ASN and geolocation, as attacker IPs have been observed from The Constant Company LLC, BL Networks, Kaopu Cloud HK Limited, and Cloudflare-protected ranges.
 32- Determine whether this IP has been seen in any other authentication context across the environment.
 33- Check `Esql.user_values` for the SSO account name (typically an email address) and verify the account belongs to the organization. Compare against known attacker email IOCs: cloud-noc@mail.io, cloud-init@mail.io, heltaylor.12@tutamail.com, support@openmail.pro.
 34- Check `Esql.observer_name_values` to identify which FortiGate device was accessed and confirm whether FortiCloud SSO is intentionally enabled on the device.
 35- Look for local administrator account creation, configuration exports, firewall policy changes, or VPN user/group creation immediately following the SSO login. The observed attack pattern involves rogue admin creation within seconds of login.
 36
 37### False positive analysis
 38
 39- Administrators connecting from a new office location, hotel, or home network for the first time may trigger this alert.
 40- FortiCloud SSO access after IP address changes such as ISP rotation or VPN egress changes can appear as a new source IP.
 41- First login after FortiCloud SSO is initially enabled on a device will fire since no historical SSO logins exist.
 42
 43### Response and remediation
 44
 45- If the activity is unauthorized, disable FortiCloud SSO immediately using `config system global` > `set admin-forticloud-sso-login disable`.
 46- Audit all administrator accounts for unauthorized additions and review and restore configuration from a known-clean backup.
 47- Rotate all credentials including any LDAP/AD accounts connected to the device.
 48- Upgrade FortiOS to a patched version.
 49- If the activity is expected, document the new source IP and consider adding an exception if it represents a new management location."""
 50references = [
 51    "https://www.fortiguard.com/psirt/FG-IR-26-060",
 52    "https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios",
 53    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
 54    "https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026",
 55]
 56risk_score = 47
 57rule_id = "618a219d-a363-4ab1-ba30-870d7c22facd"
 58severity = "medium"
 59tags = [
 60    "Use Case: Threat Detection",
 61    "Tactic: Initial Access",
 62    "Resources: Investigation Guide",
 63    "Domain: Network",
 64    "Domain: Identity",
 65    "Data Source: Fortinet",
 66    "Data Source: Fortinet FortiGate",
 67]
 68timestamp_override = "event.ingested"
 69type = "esql"
 70
 71query = '''
 72FROM logs-fortinet_fortigate.* metadata _id, _version, _index
 73
 74| WHERE event.dataset == "fortinet_fortigate.log" and
 75        event.category == "authentication" and event.action == "login" and
 76        event.outcome == "success" and
 77        (fortinet.firewall.method == "sso" or fortinet.firewall.ui like "sso*") and
 78        source.ip is not null
 79| STATS Esql.logon_count = COUNT(*),
 80        Esql.first_time_seen = MIN(@timestamp),
 81        Esql.user_values = VALUES(source.user.name),
 82        Esql.observer_name_values = VALUES(observer.name),
 83        Esql.message_values = VALUES(message) BY source.ip
 84
 85// first time seen is within 6m of the rule execution time and for the last 5d of events history
 86| EVAL Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
 87| WHERE Esql.recent <= 6 AND Esql.logon_count == 1
 88
 89// move dynamic fields to ECS equivalent for rule exceptions
 90| EVAL source.user.name = MV_FIRST(Esql.user_values)
 91
 92| KEEP source.ip, source.user.name, Esql.*
 93'''
 94
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98[[rule.threat.technique]]
 99id = "T1078"
100name = "Valid Accounts"
101reference = "https://attack.mitre.org/techniques/T1078/"
102[[rule.threat.technique.subtechnique]]
103id = "T1078.004"
104name = "Cloud Accounts"
105reference = "https://attack.mitre.org/techniques/T1078/004/"
106
107
108
109[rule.threat.tactic]
110id = "TA0001"
111name = "Initial Access"
112reference = "https://attack.mitre.org/tactics/TA0001/"