Fortinet SSL-VPN and Admin Authentication Brute Force
17 CSL Fortinet VPN Brute Force
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Fortinet"
| where DeviceEventClassID has_any ("32001", "32002", "39424", "39952")
or Activity has_any ("ssl-vpn-tunnel", "vpn", "admin-login", "loginfailed",
"login failure", "authentication failed")
or DeviceAction has_any ("failed", "denied", "reject", "failure")
| summarize
FailureCount = count(),
UniqueUsers = dcount(SourceUserName),
UserList = make_set(SourceUserName, 20),
DestinationIPs = make_set(DestinationIP, 5),
SourcePorts = make_set(SourcePort, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP, DeviceEventClassID
| where FailureCount > 5
| order by FailureCount descExplanation
This query is designed to detect potential brute force attacks on Fortinet SSL-VPN and administrative consoles by monitoring authentication failures. Here's a simplified breakdown:
-
Purpose: The query identifies instances where there are more than five failed login attempts from a single IP address within a day. This is a sign of possible automated attacks like credential stuffing or brute force attempts.
-
Data Source: It uses logs from Fortinet devices, specifically looking at events related to failed logins.
-
Detection Criteria:
- The query checks logs from the past day.
- It filters for events from Fortinet devices that indicate failed login attempts.
- It counts the number of failures from each source IP.
- It only considers cases where there are more than five failures from a single IP.
-
Output:
- The query summarizes the data by counting failures, listing unique users targeted, and noting the first and last time the failures occurred.
- It orders the results by the number of failures, highlighting the most suspicious activities.
-
Alerting:
- If the criteria are met, an alert is generated with details about the source IP, the number of failures, and the number of unique user accounts targeted.
- The alert is labeled as high severity due to the potential risk of unauthorized access.
-
Incident Management:
- The system creates an incident for each detected case, grouping alerts by the source IP to manage related events together.
This query helps security teams quickly identify and respond to potential security threats targeting their VPN infrastructure.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: 1h
Period: 1d