Fortinet SSL-VPN and Admin Authentication Brute Force
17 CSL Fortinet VPN Brute Force
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Fortinet"
| where DeviceEventClassID has_any ("32001", "32002", "39424", "39952")
or Activity has_any ("ssl-vpn-tunnel", "vpn", "admin-login", "loginfailed",
"login failure", "authentication failed")
or DeviceAction has_any ("failed", "denied", "reject", "failure")
| summarize
FailureCount = count(),
UniqueUsers = dcount(SourceUserName),
UserList = make_set(SourceUserName, 20),
DestinationIPs = make_set(DestinationIP, 5),
SourcePorts = make_set(SourcePort, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP, DeviceEventClassID
| where FailureCount > 5
| order by FailureCount descExplanation
This query is designed to detect potential brute force attacks targeting Fortinet SSL-VPN or administrative console logins. Here's a simplified breakdown:
-
Purpose: The query identifies instances where there are more than five failed login attempts from a single IP address within a day. This is indicative of automated attacks like credential stuffing or password spraying.
-
Data Source: It uses data from the "CommonSecurityEvents" connector, specifically looking at "CommonSecurityLog" data.
-
Time Frame: The query checks logs from the past day (1 day).
-
Conditions: It filters logs where:
- The vendor is "Fortinet".
- The event class ID or activity indicates a failed login attempt (e.g., "loginfailed", "authentication failed").
- The action is marked as "failed", "denied", "reject", or "failure".
-
Analysis:
- It counts the number of failed attempts (FailureCount).
- It identifies how many unique users were targeted (UniqueUsers).
- It lists the users, destination IPs, and source ports involved.
-
Alerting:
- If there are more than five failures from a single IP, it triggers an alert.
- The alert includes details like the source IP, number of failures, and unique users targeted.
-
Severity and Response:
- The severity is marked as "High".
- An incident is created for further investigation, grouping related alerts by IP.
-
MITRE ATT&CK Framework: It maps to the "Brute Force" technique (T1110) under the "Credential Access" tactic.
In essence, this query helps security teams quickly identify and respond to potential brute force attacks on Fortinet VPNs by highlighting suspicious login failure patterns.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: 1h
Period: 1d