First-Time FortiGate Administrator Login

  1[metadata]
  2creation_date = "2026/01/28"
  3integration = ["fortinet_fortigate"]
  4maturity = "production"
  5updated_date = "2026/01/29"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects the first observed successful login of a user with the Administrator role to the FortiGate management
 11interface within the last 5 days. First-time administrator logins can indicate newly provisioned accounts,
 12misconfigurations, or unauthorized access using valid credentials and should be reviewed promptly.
 13"""
 14from = "now-7205m"
 15interval = "5m"
 16language = "esql"
 17license = "Elastic License v2"
 18name = "First-Time FortiGate Administrator Login"
 19note = """## Triage and Analysis
 20
 21### Investigating First-Time FortiGate Administrator Login
 22
 23This alert indicates that a user with the **Administrator** role has successfully logged in to the FortiGate management interface for the first time within the last 5 days of observed data.
 24
 25Because administrator access provides full control over network security devices, any newly observed admin login should be validated to confirm it is expected and authorized.
 26
 27### Investigation Steps
 28
 29- **Identify the account**
 30  - Review `source.user.name` and confirm whether the account is known and officially provisioned.
 31  - Determine whether this is a newly created administrator or an existing account logging in for the first time.
 32
 33- **Validate the source**
 34  - Review `source.ip` and confirm whether it originates from a trusted management network, VPN, or jump host.
 35  - Investigate geolocation or ASN if the source IP is external or unusual.
 36
 37- **Review login context**
 38  - Examine associated FortiGate log messages for details such as login method, interface, or authentication source.
 39  - Check for additional administrative actions following the login (policy changes, user creation, configuration exports).
 40
 41- **Correlate with recent changes**
 42  - Verify whether there were recent change requests, onboarding activities, or maintenance windows that explain the login.
 43  - Look for other authentication attempts (failed or successful) from the same source or user.
 44
 45### False Positive Considerations
 46
 47- Newly onboarded administrators or service accounts.
 48- First-time logins after log retention changes or data source onboarding.
 49- Automation, backup, or monitoring tools introduced recently.
 50- Lab, development, or test FortiGate devices.
 51
 52### Response and Remediation
 53
 54- **If authorized**
 55  - Document the activity and consider adding an exception if the behavior is expected.
 56  - Ensure the account follows least-privilege and MFA best practices.
 57
 58- **If suspicious or unauthorized**
 59  - Disable or restrict the administrator account immediately.
 60  - Rotate credentials and review authentication sources.
 61  - Audit recent FortiGate configuration changes.
 62  - Review surrounding network activity for lateral movement or persistence attempts."""
 63references = [
 64    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
 65    "https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026",
 66]
 67risk_score = 73
 68rule_id = "55a372b9-f5b6-4069-a089-8637c00609a2"
 69severity = "high"
 70tags = [
 71    "Use Case: Threat Detection",
 72    "Tactic: Initial Access",
 73    "Resources: Investigation Guide",
 74    "Domain: Network",
 75    "Domain: Identity",
 76    "Data Source: Fortinet",
 77    "Data Source: Fortinet FortiGate",
 78]
 79timestamp_override = "event.ingested"
 80type = "esql"
 81
 82query = '''
 83FROM logs-fortinet_fortigate.*, filebeat-* metadata _id
 84
 85| WHERE event.dataset == "fortinet_fortigate.log" and
 86        event.category == "authentication" and event.action == "login" and
 87        event.outcome == "success" and source.user.roles == "Administrator" and source.user.name is not null
 88| stats Esql.logon_count = count(*),
 89        Esql.first_time_seen = MIN(@timestamp),
 90        Esql.source_ip_values = VALUES(source.ip),
 91        Esql.message_values = VALUES(message) by source.user.name
 92
 93// first time seen is within 6m of the rule execution time and for the last 5d of events history
 94| eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
 95| where Esql.recent <= 6 and Esql.logon_count == 1
 96
 97// move dynamic fields to ECS equivalent for rule exceptions
 98| eval source.ip = MV_FIRST(Esql.source_ip_values)
 99
100| keep source.ip, source.user.name, Esql.*
101'''
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1078"
108name = "Valid Accounts"
109reference = "https://attack.mitre.org/techniques/T1078/"
110
111
112[rule.threat.tactic]
113id = "TA0001"
114name = "Initial Access"
115reference = "https://attack.mitre.org/tactics/TA0001/"