Merge PR #5197 from @inthecyber - Add new Fortinet Fortigate rules

new: FortiGate - New Administrator Account Created
new: FortiGate - Firewall Address Object Added
new: FortiGate - New Firewall Policy Added
new: FortiGate - New Local User Created
new: FortiGate - New VPN SSL Web Portal Added
new: FortiGate - User Group Modified
new: FortiGate - VPN SSL Settings Modified

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Tommaso Tosi <tommaso.tosi@inthecyber.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>

Author: 4 people

rules/network/fortinet/fortigate/fortinet_fortigate_new_admin_account_created.yml

@@ -0,0 +1,25 @@
+title: FortiGate - New Administrator Account Created
+id: cd0a4943-0edd-42cf-b50c-06f77a10d4c1
+status: experimental
+description: Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
+references:
+    - https://www.fortiguard.com/psirt/FG-IR-24-535
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
+    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
+author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
+date: 2025-11-01
+tags:
+    - attack.persistence
+    - attack.t1136.001
+logsource:
+    product: fortigate
+    service: event
+detection:
+    selection:
+        action: 'Add'
+        cfgpath: 'system.admin'
+    condition: selection
+falsepositives:
+    - An administrator account can be created for legitimate purposes. Investigate the account details to determine if it is authorized.
+level: medium

rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_address_object.yml

@@ -0,0 +1,25 @@
+title: FortiGate - Firewall Address Object Added
+id: 5c8d7b41-3812-432f-a0bb-4cfb7c31827e
+status: experimental
+description: Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.
+references:
+    - https://www.fortiguard.com/psirt/FG-IR-24-535
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
+    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/306021697/config-firewall-address
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
+author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
+date: 2025-11-01
+tags:
+    - attack.defense-evasion
+    - attack.t1562
+logsource:
+    product: fortigate
+    service: event
+detection:
+    selection:
+        action: 'Add'
+        cfgpath: 'firewall.address'
+    condition: selection
+falsepositives:
+    - An address could be added or deleted for legitimate purposes.
+level: medium

rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_policy_added.yml

@@ -0,0 +1,25 @@
+title: FortiGate - New Firewall Policy Added
+id: f24ab7a8-f09a-4319-82c1-915586aa642b
+status: experimental
+description: Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.
+references:
+    - https://www.fortiguard.com/psirt/FG-IR-24-535
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
+    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/333889629/config-firewall-policy
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
+author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
+date: 2025-11-01
+tags:
+    - attack.defense-evasion
+    - attack.t1562
+logsource:
+    product: fortigate
+    service: event
+detection:
+    selection:
+        action: 'Add'
+        cfgpath: 'firewall.policy'
+    condition: selection
+falsepositives:
+    - A firewall policy can be added for legitimate purposes.
+level: medium

rules/network/fortinet/fortigate/fortinet_fortigate_new_local_user_created.yml

@@ -0,0 +1,27 @@
+title: FortiGate - New Local User Created
+id: ddbbe845-1d74-43a8-8231-2156d180234d
+status: experimental
+description: |
+    Detects the creation of a new local user on a Fortinet FortiGate Firewall.
+    The new local user could be used for VPN connections.
+references:
+    - https://www.fortiguard.com/psirt/FG-IR-24-535
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
+    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
+author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
+date: 2025-11-01
+tags:
+    - attack.persistence
+    - attack.t1136.001
+logsource:
+    product: fortigate
+    service: event
+detection:
+    selection:
+        action: 'Add'
+        cfgpath: 'user.local'
+    condition: selection
+falsepositives:
+    - A local user can be created for legitimate purposes. Investigate the user details to determine if it is authorized.
+level: medium

rules/network/fortinet/fortigate/fortinet_fortigate_new_vpn_ssl_web_portal.yml

@@ -0,0 +1,28 @@
+title: FortiGate - New VPN SSL Web Portal Added
+id: 2bfb6216-0c31-4d20-8501-2629b29a3fa2
+status: experimental
+description: |
+    Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall.
+    This behavior was observed in pair with modification of VPN SSL settings.
+references:
+    - https://www.fortiguard.com/psirt/FG-IR-24-535
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
+    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-portal
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
+author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
+date: 2025-11-01
+tags:
+    - attack.persistence
+    - attack.initial-access
+    - attack.t1133
+logsource:
+    product: fortigate
+    service: event
+detection:
+    selection:
+        action: 'Add'
+        cfgpath: 'vpn.ssl.web.portal'
+    condition: selection
+falsepositives:
+    - A VPN SSL Web Portal can be added for legitimate purposes.
+level: medium

rules/network/fortinet/fortigate/fortinet_fortigate_user_group_modified.yml

@@ -0,0 +1,28 @@
+title: FortiGate - User Group Modified
+id: 69ffc84e-8b1a-4024-8351-e018f66b8275
+status: experimental
+description: |
+    Detects the modification of a user group on a Fortinet FortiGate Firewall.
+    The group could be used to grant VPN access to a network.
+references:
+    - https://www.fortiguard.com/psirt/FG-IR-24-535
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
+    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
+author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
+date: 2025-11-01
+tags:
+    - attack.persistence
+    - attack.privilege-escalation
+    # - attack.t1098.007
+logsource:
+    product: fortigate
+    service: event
+detection:
+    selection:
+        action: 'Edit'
+        cfgpath: 'user.group'
+    condition: selection
+falsepositives:
+    - A group can be modified for legitimate purposes.
+level: medium

rules/network/fortinet/fortigate/fortinet_fortigate_vpn_ssl_settings_modified.yml

@@ -0,0 +1,28 @@
+title: FortiGate - VPN SSL Settings Modified
+id: 8b5dacf2-aeb7-459d-b133-678eb696d410
+status: experimental
+description: |
+    Detects the modification of VPN SSL Settings (for example, the modification of authentication rules).
+    This behavior was observed in pair with the addition of a VPN SSL Web Portal.
+references:
+    - https://www.fortiguard.com/psirt/FG-IR-24-535
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
+    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings
+    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44546/44546-logid-event-config-attr
+author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
+date: 2025-11-01
+tags:
+    - attack.persistence
+    - attack.initial-access
+    - attack.t1133
+logsource:
+    product: fortigate
+    service: event
+detection:
+    selection:
+        action: 'Edit'
+        cfgpath: 'vpn.ssl.settings'
+    condition: selection
+falsepositives:
+    - VPN SSL settings can be changed for legitimate purposes.
+level: medium

tests/logsource.json

@@ -181,6 +181,14 @@
                 "syslog":[]
             }
         },
+        "fortigate":{
+            "common": [],
+            "empty": [],
+            "category":{},
+            "service":{
+                "event":["devname","devid","logid","type","subtype","level","vd","logdesc","user","ui","action","cfgtid","cfgpath","cfgobj","cfgattr","msg"]
+            }
+        },
         "fortios":{
             "common": [],
             "empty": [],

tests/test_rules.py

@@ -611,6 +611,8 @@ def test_file_names(self):
                                     pattern_prefix = "onelogin_"
                                 elif value == "github":
                                     pattern_prefix = "github_"
+                                elif value == "fortinet":
+                                    pattern_prefix = "fortinet_"
                             elif key == "category":
                                 if value == "process_creation":
                                     pattern_prefix = "proc_creation_"