Query Details

Fortinet SSL-VPN and Admin Authentication Brute Force

17 CSL Fortinet VPN Brute Force

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Fortinet"
| where DeviceEventClassID has_any ("32001", "32002", "39424", "39952")
    or Activity has_any ("ssl-vpn-tunnel", "vpn", "admin-login", "loginfailed",
                         "login failure", "authentication failed")
    or DeviceAction has_any ("failed", "denied", "reject", "failure")
| summarize
    FailureCount     = count(),
    UniqueUsers      = dcount(SourceUserName),
    UserList         = make_set(SourceUserName, 20),
    DestinationIPs   = make_set(DestinationIP, 5),
    SourcePorts      = make_set(SourcePort, 5),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by SourceIP, DeviceEventClassID
| where FailureCount > 5
| order by FailureCount desc

Explanation

This query is designed to detect potential brute force attacks on Fortinet SSL-VPN and administrative consoles by monitoring authentication failures. Here's a simplified breakdown:

  • Purpose: The query identifies instances where there are more than five failed login attempts from a single IP address within a day. This is a sign of possible automated attacks like credential stuffing or brute force attempts.

  • Data Source: It uses logs from Fortinet devices, specifically looking at events related to failed logins.

  • Detection Criteria:

    • The query checks logs from the past day.
    • It filters for events from Fortinet devices that indicate failed login attempts.
    • It counts the number of failures from each source IP.
    • It only considers cases where there are more than five failures from a single IP.
  • Output:

    • The query summarizes the data by counting failures, listing unique users targeted, and noting the first and last time the failures occurred.
    • It orders the results by the number of failures, highlighting the most suspicious activities.
  • Alerting:

    • If the criteria are met, an alert is generated with details about the source IP, the number of failures, and the number of unique user accounts targeted.
    • The alert is labeled as high severity due to the potential risk of unauthorized access.
  • Incident Management:

    • The system creates an incident for each detected case, grouping alerts by the source IP to manage related events together.

This query helps security teams quickly identify and respond to potential security threats targeting their VPN infrastructure.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogDeviceVendorDeviceEventClassIDActivityDeviceActionSourceUserNameDestinationIPSourcePortTimeGeneratedSourceIP

Operators

agohas_anysummarizecountdcountmake_setminmaxorder by

Severity

High

Tactics

CredentialAccess

MITRE Techniques

Frequency: 1h

Period: 1d

Actions

GitHub