Query Details
17 CSL Fortinet VPN Brute Force
Query
id: e7f8a9b0-c1d2-4e3f-4a5b-6c7d8e9f0a1b
name: "Fortinet SSL-VPN and Admin Authentication Brute Force"
version: 1.0.0
kind: Scheduled
description: |
Detects repeated Fortinet SSL-VPN or administrative console authentication failures from a
single source IP (>5 failures). VPN infrastructure is a primary target for credential
stuffing and password spraying attacks since successful access provides direct network-level
entry. High failure counts from a single IP are strong indicators of automated brute force
or credential stuffing activity.
MITRE ATT&CK: T1110 (Brute Force)
severity: High
requiredDataConnectors:
- connectorId: CommonSecurityEvents
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1110
query: |
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Fortinet"
| where DeviceEventClassID has_any ("32001", "32002", "39424", "39952")
or Activity has_any ("ssl-vpn-tunnel", "vpn", "admin-login", "loginfailed",
"login failure", "authentication failed")
or DeviceAction has_any ("failed", "denied", "reject", "failure")
| summarize
FailureCount = count(),
UniqueUsers = dcount(SourceUserName),
UserList = make_set(SourceUserName, 20),
DestinationIPs = make_set(DestinationIP, 5),
SourcePorts = make_set(SourcePort, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP, DeviceEventClassID
| where FailureCount > 5
| order by FailureCount desc
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
customDetails:
FailureCount: FailureCount
UniqueUsers: UniqueUsers
alertDetailsOverride:
alertDisplayNameFormat: "Fortinet VPN Brute Force - {{SourceIP}} ({{FailureCount}} failures)"
alertDescriptionFormat: "Source {{SourceIP}} generated {{FailureCount}} Fortinet authentication failures targeting {{UniqueUsers}} unique accounts. Possible VPN credential brute force attack."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT6H
matchingMethod: Selected
groupByEntities:
- IP
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect potential brute force attacks targeting Fortinet SSL-VPN or administrative console logins. Here's a simplified breakdown:
-
Purpose: The query identifies instances where there are more than five failed login attempts from a single IP address within a day. This is indicative of automated attacks like credential stuffing or password spraying.
-
Data Source: It uses data from the "CommonSecurityEvents" connector, specifically looking at "CommonSecurityLog" data.
-
Time Frame: The query checks logs from the past day (1 day).
-
Conditions: It filters logs where:
- The vendor is "Fortinet".
- The event class ID or activity indicates a failed login attempt (e.g., "loginfailed", "authentication failed").
- The action is marked as "failed", "denied", "reject", or "failure".
-
Analysis:
- It counts the number of failed attempts (FailureCount).
- It identifies how many unique users were targeted (UniqueUsers).
- It lists the users, destination IPs, and source ports involved.
-
Alerting:
- If there are more than five failures from a single IP, it triggers an alert.
- The alert includes details like the source IP, number of failures, and unique users targeted.
-
Severity and Response:
- The severity is marked as "High".
- An incident is created for further investigation, grouping related alerts by IP.
-
MITRE ATT&CK Framework: It maps to the "Brute Force" technique (T1110) under the "Credential Access" tactic.
In essence, this query helps security teams quickly identify and respond to potential brute force attacks on Fortinet VPNs by highlighting suspicious login failure patterns.
Details
David Alonso
Released: March 2, 2026
Tables
Keywords
Operators