Query Details

Fortinet SSL-VPN and Admin Authentication Brute Force

17 CSL Fortinet VPN Brute Force

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Fortinet"
| where DeviceEventClassID has_any ("32001", "32002", "39424", "39952")
    or Activity has_any ("ssl-vpn-tunnel", "vpn", "admin-login", "loginfailed",
                         "login failure", "authentication failed")
    or DeviceAction has_any ("failed", "denied", "reject", "failure")
| summarize
    FailureCount     = count(),
    UniqueUsers      = dcount(SourceUserName),
    UserList         = make_set(SourceUserName, 20),
    DestinationIPs   = make_set(DestinationIP, 5),
    SourcePorts      = make_set(SourcePort, 5),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by SourceIP, DeviceEventClassID
| where FailureCount > 5
| order by FailureCount desc

Explanation

This query is designed to detect potential brute force attacks targeting Fortinet SSL-VPN or administrative console logins. Here's a simplified breakdown:

  1. Purpose: The query identifies instances where there are more than five failed login attempts from a single IP address within a day. This is indicative of automated attacks like credential stuffing or password spraying.

  2. Data Source: It uses data from the "CommonSecurityEvents" connector, specifically looking at "CommonSecurityLog" data.

  3. Time Frame: The query checks logs from the past day (1 day).

  4. Conditions: It filters logs where:

    • The vendor is "Fortinet".
    • The event class ID or activity indicates a failed login attempt (e.g., "loginfailed", "authentication failed").
    • The action is marked as "failed", "denied", "reject", or "failure".
  5. Analysis:

    • It counts the number of failed attempts (FailureCount).
    • It identifies how many unique users were targeted (UniqueUsers).
    • It lists the users, destination IPs, and source ports involved.
  6. Alerting:

    • If there are more than five failures from a single IP, it triggers an alert.
    • The alert includes details like the source IP, number of failures, and unique users targeted.
  7. Severity and Response:

    • The severity is marked as "High".
    • An incident is created for further investigation, grouping related alerts by IP.
  8. MITRE ATT&CK Framework: It maps to the "Brute Force" technique (T1110) under the "Credential Access" tactic.

In essence, this query helps security teams quickly identify and respond to potential brute force attacks on Fortinet VPNs by highlighting suspicious login failure patterns.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogDeviceVendorDeviceEventClassIDActivityDeviceActionSourceUserNameDestinationIPSourcePortTimeGeneratedSourceIP

Operators

agohas_anysummarizecountdcountmake_setminmaxbyorder bydesc

Severity

High

Tactics

CredentialAccess

MITRE Techniques

Frequency: 1h

Period: 1d

Actions

GitHub