KQL Search

Query Details

HomeAI ToolsDevice Query

Fortigate Belsen Leak KQL Check

Query

// Fortigate Belsen Leak KQL Check

// In 2022, Fortinet revealed a critical authentication bypass vulnerability (CVE-2022-40684) impacting FortiOS, FortiProxy, and FortiSwitchManager. By January 2025, the Belsen Group had publicly released configurations from around 15,000 affected devices. The following KQL query scans your Fortinet firewall's Destination and Source IP logs within the CommonSecurityLog schema, matching them against the 15K+ leaked IPs from the Belsen Group.

let FortiBelsenLeakTable=externaldata(RawData:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/fortigate-belsen-leak-15K-IPs.txt']
| parse RawData with LeakIP:string;
let MatchedDestinationIP =
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has "fortinet"
| summarize arg_max(TimeGenerated, *) by DestinationIP
| join FortiBelsenLeakTable on $left.DestinationIP == $right.LeakIP;
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has "fortinet"
| summarize arg_max(TimeGenerated, *) by SourceIP
| join FortiBelsenLeakTable on $left.SourceIP == $right.LeakIP
| union MatchedDestinationIP

Explanation

This KQL query is designed to help identify if your Fortinet firewall has been affected by a known security vulnerability (CVE-2022-40684) that was exploited by a group called the Belsen Group. Here's a simple breakdown of what the query does:

  1. Data Source: It uses an external data source containing a list of over 15,000 IP addresses that were leaked by the Belsen Group. These IPs are associated with devices affected by the vulnerability.

  2. Log Filtering: The query examines logs from the past 7 days within the CommonSecurityLog schema, specifically looking at logs related to Fortinet devices.

  3. IP Matching:

    • It checks the DestinationIP and SourceIP fields in the logs to see if they match any of the leaked IPs from the Belsen Group.
    • For each match, it retrieves the most recent log entry for that IP.

  4. Result Compilation: The query combines the results of matched DestinationIP and SourceIP into a single output, providing a list of potential security incidents involving your Fortinet firewall.

In essence, this query helps you determine if any of your Fortinet devices have communicated with IPs known to be compromised or leaked, indicating a potential security breach.

Details

Steven Lim profile picture

Steven Lim

Released: January 22, 2025

Tables

CommonSecurityLog

Keywords

FortigateBelsenLeakVulnerabilityFortiOSFortiProxyFortiSwitchManagerDevicesFirewallIPLogsCommonSecurityLogFortinetDestinationIPSourceIP

Operators

letexternaldataparsewithwherehassummarizearg_maxbyjoinonunion

Actions