This alert triggers when successful VPN logins are observed for the same user from more than 1 source country within a time interval of 10 minutes. Impact Consecutive successful logins within a short time interval for the same user from different locations could indicate malicious activity. Mitigation Check if the user is aware of the login activity and if it is legitimate. If not, investigate further. Also, make sure that authentication via MFA is in place. MITRE Tactic: TA0001 MITRE Technique: T1078

This alert triggers for DLP events as part of unified threat management (UTM) logs. The data loss prevention you get with a UTM appliance enables you to detect data breaches and exfiltration attempts and then prevent them. To do this, the data loss prevention system monitors sensitive data, and when it identifies an attempt by a malicious actor to steal it, blocks the attempt, thereby protecting the data. Please see the below link for more details on UTM: https://www.fortinet.com/resources/cyberglossary/unified-threat-management Impact Threat actors after breaching an organization can exfiltrate and sell the stolen sensitive data on the dark web. Mitigation Monitor the large amount of data transferred to an external destination from a specific host. If the transfer is not legit, investigate it further. MITRE Tactic: TA0009 MITRE Technique: T1005

'Summary This alert triggers for the events for the application controls as part of UTM logs. Unified threat management (UTM) refers to when multiple security features or services are combined into a single device within your network. Using UTM, your network''s users are protected with several different features, including antivirus, content filtering, email and web filtering, anti-spam, and more. Please see the below link for more details on UTM: https://www.fortinet.com/resources/cyberglossary/unified-threat-management Impact The application control log type has multiple event types such as ''port violation'', ''protocol violation'', and ''signature. So, the impact caused depends on the method carried out by a threat actor. Mitigation Depends on the type of the log. Check the fields like source IP, destination IP, direction, event type, action, level, etc. to investigate further. MITRE Tactic: TA0011 MITRE Technique: T1071'

This alert triggers for the events for the SSL connections which are part of UTM logs. Unified threat management (UTM) refers to when multiple security features or services are combined into a single device within your network. Using UTM, your network's users are protected with several different features, including antivirus, content filtering, email and web filtering, anti-spam, and more. Please see the below link for more details on UTM: https://www.fortinet.com/resources/cyberglossary/unified-threat-management Impact Threat actors can use TLS/SSL protocol to communicate with a C2 server so that their communication can't be intercepted and they can stay under the radar. Mitigation Depends on the type of the log. Check the fields like source IP, destination IP, source country, destination country, event subtype, message, action, level, etc. to investigate further. MITRE Tactic: TA0011 MITRE Technique: T1573

This alert triggers when the denied actions for any event are generated more than the usual number for a source IP. So, in this case, if the denied action count exceeds the threshold value of 50 above the usual number within 5 minutes of the time interval for a source IP, the alert will be triggered. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, check fields like 'srcip', 'dstip', 'srccountry', 'policytype' in the log if these fields are present (can change per log). Also, check for any repeating alerts for the same user/machine/ip and adjacent logs.

This alert triggers when the denied actions for any event are generated more than the usual number. So, in this case, if the denied action count exceeds the threshold value of 50 above the usual number within 5 minutes of time interval, the alert will be triggered. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, check fields like 'srcip', 'dstip', 'srccountry', 'policytype' in the log if these fields are present (can change per log). Also, check for any repeating alerts for the same user/machine/ip and adjacent logs.

This alert triggers for all Fortigate logs that have the priority level of 'emergency'. Impact Depends on the type and parameters of the log. Please check the logs for more details. Mitigation To further investigate the alert, check fields like 'msg', 'reason', 'action', 'user' in the log if these fields are present (can change per log). Also, check for any repeating alerts for the same user/machine/ip and adjacent logs.

This alert triggers for the events for virus-related attacks as part of unified threat management (UTM). A UTM comes with antivirus software that can monitor your network, and detect and stop viruses from damaging your system or its connected devices. This is done by leveraging the information in signature databases, which are storehouses containing the profiles of viruses, to check if any are active within your system or are trying to gain access. Please see the below link for more details on UTM: https://www.fortinet.com/resources/cyberglossary/unified-threat-management Impact A threat actor can infect your machines using infected files, trojans, worms, spyware, and other malware. Mitigation Depends on the type of log. Check the fields such as source IP, destination IP, source country, action, event type, file type, etc. for more detail and take action accordingly. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert triggers for the events for the email filter as part of unified threat management (UTM). Unified threat management (UTM) refers to when multiple security features or services are combined into a single device within your network. Using UTM, your network's users are protected with several different features, including antivirus, content filtering, email and web filtering, anti-spam, and more. Please see the below link for more details on UTM: https://www.fortinet.com/resources/cyberglossary/unified-threat-management Note: Please fine-tune this alert as per your requirement as it checks for "spam" event type which can be noisy in some cases. Impact Threat actors usually target organizations by delivering emails with either attached malicious files or adding URLs to malicious websites and can get initial access. Mitigation Depends on the type of the log. Check the fields like source IP, destination IP, source country, severity, level, etc. to investigate further. MITRE Tactic: TA0001 MITRE Technique: T1566

This alert triggers for the events related to Secure Socket Shell (SSH). These events can be of the category 'ssh-command'. Impact Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. Mitigation Check if the user is aware of this activity and if the traffic is legitimate. If not, investigate further. Check the fields like source IP, destination IP, source country, severity, etc. MITRE Tactic: TA0001 MITRE Technique: T1021 MITRE Sub-Technique: 004

This alert triggers whenever there is anomalous traffic seen in the network from a specific source address. Impact Anomalous traffic could be an indication of a DoS or DDoS attack. Adversaries may perform Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Mitigation Check the value for the attack field in the logs corresponding to the alert and identify if it is a legitimate activity or not. If not, investigate it further. Depending on flood volume, filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. MITRE Tactic: TA0040 MITRE Technique: T1498

This alert triggers for the web filter events as part of unified threat management (UTM). A UTM's web filtering feature can prevent users from seeing specific websites or Uniform Resource Locators (URLs). This is done by stopping users' browsers from loading the pages from those sites onto their devices. You can configure web filters to target certain sites according to what your organization aims to accomplish. Please see the below link for more details on UTM: https://www.fortinet.com/resources/cyberglossary/unified-threat-management Impact A threat actor may target organizations using web-based content. The web-based content can be fake/illegal websites, malicious downloads/attachments, javascript codes or browser extensions, etc. Mitigation Check if the traffic is legitimate. If not, investigate further. Check the fields like source IP, destination IP, source country, severity, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert triggers for the events related to the Intrusion Prevention System (IPS) as part of unified threat management (UTM). A UTM system can provide an organization with intrusion prevention capability, which detects and then prevents attacks. This functionality is often referred to as an intrusion detection system (IDS) or intrusion prevention system (IPS). To identify threats, an IPS analyzes packets of data, looking for patterns known to exist in threats. When one of these patterns is recognized, the IPS stops the attack. Please see the below link for more details on UTM: https://www.fortinet.com/resources/cyberglossary/unified-threat-management Impact A threat actor once inside a network may disable logging for Intrusion Prevention System (IPS) so that their actions go unnoticed. If IPS is disabled, the malicious packets will make it into the network. Mitigation Depends on the type of log. Check the fields such as source IP, destination IP, source country, action, event type, severity, etc. for more detail and take action accordingly. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert triggers when there are no logs seen from Fortigate to your account in the past 12 hours. Impact An adversary may disable logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Mitigation Investigate the root cause of this behavior and re-enable the logging, if it is disabled. Additionally, administrators can manage policies to ensure only necessary users have permission to make changes to logging policies. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert triggers when there are multiple failed VPN Login attempts or failed admin login attempts within a specific interval for the same user. Impact Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Mitigation Investigate the failed login attempts and verify with the user that it was him trying to log in. If it wasn't, investigate further the source of the login attempt to determine a possible compromise. also, make sure that MFA is enabled. MITRE Tactic: TA0006 MITRE Technique: T1110