Data Source: Fortinet

Elastic Defend and Network Security Alerts Correlation

Jan 2, 2026 · Use Case: Threat Detection Rule Type: Higher-Order Rule Resources: Investigation Guide Data Source: Elastic Defend Data Source: Fortinet Data Source: PAN-OS ·

Share on:

This rule correlate any Elastic Defend alert with a set of suspicious events from Network security devices like Palo Alto Networks (PANW) and Fortinet Fortigate by host.ip and source.ip. This may indicate that this host is compromised and triggering multi-datasource alerts.

React2Shell Network Security Alert

Dec 19, 2025 · Domain: Network Domain: Application Domain: Web Use Case: Threat Detection Use Case: Vulnerability Tactic: Initial Access Tactic: Execution Data Source: PAN-OS Data Source: Fortinet Data Source: Suricata Data Source: Cisco FTD Resources: Investigation Guide ·

Share on:

This rule identifies network security alerts related to CVE-2025-55182 exploitation attempts from different network security integrations. CVE-2025-55182 is a critical remote code execution vulnerability in React Server Components (RSC) Flight protocol. The vulnerability allows attackers to execute arbitrary code on the server by sending specially crafted deserialization payloads that exploit prototype chain traversal to access the Function constructor.

SOCKS Traffic from an Unusual Process

Nov 24, 2025 · Domain: Endpoint OS: Linux OS: Windows OS: macOS Use Case: Threat Detection Tactic: Command and Control Data Source: Elastic Defend Data Source: Fortinet Resources: Investigation Guide ·

Share on:

This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.