FortiSIEM Security Related Rules and Reports

Security Related Rules and Reports
Security Rules

Access Control Violations

Network Scanning Activity

Malware

Explicit Security Exploits

Policy Violations

Security Reports

Access Control Reports

Malware Reports

Other Security Issues

Network Traffic Analysis

Access Control Violations

Network Device Access

Multiple Admin Login Failures: Net Device: Detects excessive logon failures at a network device – 5 consecutive failures in a 10 minute period.

Repeated Admin Multiple Login Failures: Net Device: Detects repeating occurrences of multiple logon failures at a network device

Account Locked: Network Device: Detects account lockout caused by excessive logon failures

Server Access

Multiple Logon Failures: Server: Detects excessive logon failures at a server – 5 consecutive failures in a 10 minute period

Repeated Multiple Logon Failures: Server: Detects repeating occurrences of multiple logon failures at a server from the same user. Multiple Privileged Logon Failures: Server: Detects excessive privileged logon failures at a server – 3 consecutive failures in a 10 minute period

Account Locked: Server: Detects account lockout caused by excessive logon failures

Network Access

Multiple Logon Failures: Domain: Detects multiple domain logon failures – 5 consecutive failures in a 10 minute period

Repeated Multiple Logon Failures: Domain: Detects repeating occurrences of multiple domain logon failures

Multiple Logon Failures: VPN: Detects multiple VPN logon failures – 5 consecutive failures in a 10 minute period

Repeated Multiple Logon Failures: VPN: Detects repeating occurrences of excessive VPN logon failures

Multiple Logon Failures: WLAN Detects multiple Wireless logon failures – 5 consecutive failures in a 10 minute period

Repeated Multiple Logon Failures: WLAN: Detects repeating occurrences of excessive wireless LAN logon failures

Account Locked: Domain: Detects account lockout caused by excessive logon failures

Application Access

Multiple Logon Failures: Web Server: Detects excessive application logon failures – 5 consecutive failures in a 10 minute period. Application logsons include the one that may require authentication for accessing the authentication, such as HTTP, SNMP, FTP, POP3, IMAP etc.

Repeated Multiple Logon Failures: Web Server: Detects repeating occurrences of multiple application logon failures

Multiple Logon Failures: Database: Detects excessive database logon failures – 5 consecutive failures in a 10 minute period.

Repeated Multiple Logon Failures: Database: Detects repeating occurrences of multiple application logon failures

Multiple Logon Failures: Misc App: Detects excessive application logon failures – 5 consecutive failures in a 10 minute period. Application logsons include the one that may require authentication for accessing the authentication, such as HTTP, SNMP, FTP, POP3, IMAP etc.

Repeated Multiple Logon Failures: Misc App: Detects repeating occurrences of multiple application logon failures

Special situations

Privileged Command Execution Failure: Detects excessive privileged command execution (e.g. sudo exec) failure at a server

Disabled Account Logon Attempt: Detects logon attempts to disabled accounts

Logon Time Restriction Violation: Detects logon attempts at times which are not permitted by policy

Multiple Logon Failures: Same Src, Multiple Hosts: Detects the same source having excessive logon failures at distinct hosts Multiple Logon Failures: Same Src and Dest, Multiple Accounts: Detects same source having excessive logon failures at the same destination host but multiple distinct accounts are used during the logon failure

Suspicious Logon Failure: no following successful login: Detects an unusual condition where a source has authentication failures at

a host but that is not followed by a successful authentication at the same host within the same day

Failed VPN Logon From Outside My Country: Detects VPN logon from outside my country. My Country is set to “United States” and may need to be changed for outside United States

Concurrent Failed Authentications To Same Account  From Multiple Countries: Detects simultaneous failed server/network device/domain authentications to the same system and the same account from different countries. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple countries.

Concurrent Failed Authentications To Same Account From Multiple Cities: Detects simultaneous failed server/network

device/domain authentications to the same system and the same account from different cities. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple cities.

Concurrent Successful Authentications To Same Account From Multiple Countries: Detects simultaneous successful server/network device/domain authentications to the same system and the same account from different countries. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple countries. Concurrent Successful Authentications To Same Account From Multiple Cities: Detects simultaneous successful server/network device/domain authentications to the same system and the same account from different cities. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple cities.

Concurrent VPN Authentications To Same Account From Different Cities: Detects simultaneous VPN authentications to the same account within a short period of time from different cities. This may indicate a stolen credential.

Suspicious logon attempt detected: Detects suspicious logon attempts that indicate policy violations, e.g. root logon to database servers, default passwords, attempts to bypass authentication, root logon over unencrypted protocols such as Telnet, ftp, anonymous logons etc.

Transient Account Usage: Detects that an account was created, used and then deleted within a short period of time

Multiple Accounts Disabled by Administrator: Detects that multiple (more than 3) accounts were disabled by administrator in a short period of time

Network Scanning Activity

 Heavy TCP Host Scan: Detects excessive half-open TCP sessions from the same source to many distinct destinations in a short period of time. The threshold is 200 flows within 3 minutes. Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers.

 Heavy TCP Host Scan On Fixed Port: Detects excessive half-open TCP sessions from the same source to many distinct destinations and on the same destination port in a short period of time. The threshold is 200 flows within 3 minutes. A fixed destination port may indicate that the scanning host is attempting to find hosts on a well known port (with a vulnerability). Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers. Heavy TCP Port Scan: Single Host: Detects a host performing a port scan – this involves excessive half open TCP connections from the same source to many distinct ports on a host in a short period of time. The thresholds are at least 20 distinct ports in a 2 minute window

Heavy TCP Port Scan: Multiple Hosts: Detects that a source is doing port scans on multiple hosts. The thresholds are port scans on at least 5 hosts in 15 minute window

Heavy UDP Host Scan: Detects excessive number of UDP connections from the same source to many distinct destinations in a short period of time. The threshold is 200 flows within 3 minutes. Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers.

 Heavy UDP Host Scan On Fixed Port: Detects excessive number of UDP connections from the same source to many distinct destinations and on the same destination port in a short period of time. The threshold is 200 flows within 3 minutes. A fixed destination port may indicate that the scanning host is attempting to find hosts on a well known port (with a vulnerability). Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers. Heavy UDP Port Scan: Single Host: Detects excessive UDP connections from the same source to many distinct ports on the same destination in a short period of time

Heavy UDP Port Scan: Multiple Hosts: Detects that a source is doing UDP port scans on multiple hosts. The thresholds are port scans on at least 5 hosts in 15 minute window

Heavy ICMP Ping sweep: Detects excessive number of ICMP echo request packets from the same source to many distinct destinations in a short period of time. Nachhi worm exploited pings to spread. The threshold is 50 pings within 3 minutes. Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted.

Excessive ICMP Unreachables: Detects an usually high frequency of ICMP destination unreachable packets between the same source and destination – this indicates routing error

TCP DDOS Attack: Detects excessive number of half-open TCP connections from many distinct sources to the same destination host and on the same port in a short period of time. This may indicate that the destination server is under some sort of attack.

Excessive Denied Connections From Same Src: Detects excessive denies from the same source to many distinct destinations on the same port in a short period of time. The intent could be malicious or some sort of misconfiguration.

Excessive Denied Connections To Same Destination: Detects excessive denies from many distinct sources to the same destination on the same destination port

Multiple IPS Scans From Same Src: Detects multiple IPS scans from the same source IP in a short period of time.

Invalid TCP/UDP Port Traffic: Detects invalid TCP/UDP traffic with 0 port

Invalid TCP Flags – Medium Intensity: Detects moderate (e.g. 100 or more flows in 5 minutes) amount of traffic with invalid TCP flag combinations (NULL,FIN, SYN-FIN, SYN-FIN-PUSH, SYN-FIN-RESET, SYN-FIN-RESET-PUSH,SYN-FIN-RESET-PUSH-ACK-URG) may indcate scanning and probing activity from the sender

Invalid TCP Flags – High Intensity: Detects excessive (e.g. 500 or more flows in 5 minutes) amount of traffic with invalid TCP flag combinations (FIN, SYN-FIN, SYN-FIN-PUSH, SYN-FIN-RESET, SYN-FIN-RESET-PUSH,SYN-FIN-RESET-PUSH-ACK-URG) – may indicate scanning and probing activity from the sender

Excessive ICMP Traffic From Same Source: Detects excessive (e.g. more than 5000 in 5 minutes) ICMP traffic from the same source

 

Malware

Source: Antivirus, Security gateway, Host IPS, Network IPS, Firewall Log

Virus outbreak: Detects potential virus outbreak – same virus found on three distinct computers/IP addresses

Virus found but not remediated: Detects that host anti-virus or content inspection devices found a virus but could not remediate it Spyware found but not remediated: Detects that host anti-virus or content inspection devices found a spyware but could not remediate it

Spam/Malicious Mail Attachment found but not remediated:

Scanner found severe vulnerability:

Rootkit found:

Phishing attack found but not remediated:

Malware found but not remediated:

Denied Blacklisted Source:

Denied Blacklisted Destination:

Multiple Distinct IPS Events From Same Src:

Permitted Blacklisted Source:

Permitted Blacklisted Destination:

Source: External threat intelligence

Traffic to Zeus Blocked IP List:

Traffic to Emerging Threat Spamhaus List:

Traffic to Emerging Threat Shadow server List:

Traffic to Emerging Threat RBN List:

Traffic to Emerging Threat Dshield List:

Permitted traffic from Emerging Threat Spamhaus List:

Permitted Traffic from Zeus Blocked IP List:

Permitted Traffic from Emerging Threat Shadow server List:

Permitted Traffic from Emerging Threat RBN List:

Permitted Traffic from Emerging Threat Dshield List:

DNS Traffic to Malware Domains:

Adware process found:

Traffic to bogon networks:

Source: Network Traffic Analysis

Excessive End User Mail: Detects a scenario where a host, that is itself not an authorized mail gateway, is sending excessive emails (more than 20 emails in 2 minutes). This behavior may indicate malware running on an end host that is trying to send spam or privileged information to its own set of mail servers (which may be compromised).

Excessive Denied End User Mail To Unauthorized Mail Gateways: Detects a scenario where a host, that is itself not an authorized mail gateway, is unsuccessfully trying to send excessive emails to unauthorized mail gateways. Authorized mail gateways are represented by the “Mail Gateway” group. Such requests would be typically denied because, either the firewall would block SMTP from end hosts and/or mail gateways only receive mail from other authorized mail gateways. This behavior may indicate malware running on an end host that is trying to send spam or privileged information to its own set of mail servers (which may be compromised).  End User DNS Queries to Unauthorized DNS Servers: Detects a scenario where a host, that is itself not a DNS server, is trying to send DNS requests to unauthorized DNS servers. Authorized DNS servers are represented by the “DNS Server” group. In a typical scenario, end hosts always send DNS requests to authorized DNS servers which in turn communicate to other DNS servers – so this behavior may indicate malware running on the end host.

Excessive End User DNS Queries: Detects a scenario where a host, that is itself not an DNS server, is sending excessive DNS requests. Authorized DNS servers are represented by the “DNS Server” group. In a typical scenario, the frequency of end host DNS requests is not high unless, there is a script running – this might indicate the presence of malware on the end host.

Excessive Denied DNS Queries: Detects a scenario where a host, has a very high frequency of denied DNS traffic.

Excessive Uncommon DNS Queries: Detects the same host that is not a DNS server, doing an excessive amount of uncommon domain name queries – this indicates the host is likely infected with malware. An end host typically needs to perform only A and PTR queries; any other query inidicates the likely presence of malware.

Excessive Repeated DNS Queries To Same Domain: Detects an usually high frequency of DNS name resolution queries from the same host to the same domain name in a short period of time. This is not expected behavior since, in a typical scenario, the domain name resolution is cached at the end point. Repeated queries indicates that a special DNS client is likely running at the end host that is trying to make use of fast flux techniques to get back many infected hosts behind a crafted domain name.

Excessive Malware Domain Name Queries: Detects bad domain name queries which indicate malware infected end hosts.

 

Suspicious Botnet like End host DNS Behavior: Detects an end host meeting at least 3 requirements for suspicious use of DNS requests – this indicates that a bot is likely running on the end host

Unusually Large ICMP Echo Packets: Detects large (> 200 bytes/pkt) ICMP echo request and response packets – this is unusual since ICMP packets carry minimal information and are small in size. THis may indicate that some other traffic is being carried over ICMP protocol.

Unusual ICMP Traffic:

Explicit Security Issues

SQL Injection Attack detected by NIPS:

High Severity Non-Cisco IPS Exploit:

High Severity Inbound Permitted IPS Exploit:

High Severity Inbound Denied Security Exploit:

High Risk Rating Cisco IPS Exploit:

Excessive WLAN Exploits: Same Source:

Excessive WLAN Exploits:

DoS Attack detected by NIPS:

Distributed DoS Attack detected by NIPS:

Layer 2 Switch Port Security Violation:

Policy violations

Firewall Perimeter Policy

Outbound cleartext password usage detected:

Inbound cleartext password usage detected:

VNC from Internet:

Remote Desktop from Internet:

Large Outbound Transfer:

Large Outbound Transfer To Outside My Country:

Large Inbound Transfer From Outside My Country:

External website access policy

Inappropriate Website access: Multiple categories:

Inappropriate Website access: High volume:

Inappropriate Website access:

Internal website access policy

Executable file posting from external source:

Excessive HTTP Client Side Errors:

Excessive FTP Client Side Errors:

Change control policy

 Windows Audit Log Cleared:

Windows Audit Disabled:

WLAN policy

Rogue or Unsecure AP Detected:

Excessive Rogue or Unsecure APs Detected:

Wireless Host Blacklisted:

VPN policy

 Long lasting VPN session:

High throughput  VPN session:

Suspicious Traffic

 Tunneled traffic detected: IRC traffic detected:

P2P traffic consuming high network bandwidth:

 

Access Control Reports

Network Device Access

Failed Router Admin Logons: Details about failed router administrative logons

Successful Router Admin Logons: Details about successful router administrative logons

Failed Firewall Admin Logons: Details about failed firewall administrative logons

Successful Firewall Admin Logons: Details about successful firewall administrative logons

Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

Network Access

Top Users Ranked By Successful VPN Logon: Ranks the VPN Gateways and their users by the number of successful VPN logons.

Top VPN Gateways Ranked By Distinct Users: Ranks the VPN Gateways by the total number of distinct user logons

Top VPN Users Ranked By Failed VPN Logons: Ranks the VPN Gateways and their users by the number of failed VPN logons.

Wireless Logon Failure Details: Provides details of wireless logon authentication failures

Top Wireless Controllers, Users By Failed Logon Count: Ranks wireless controllers by the total number of failed logons

Top Windows Domain Controllers, Users By Successful Domain Authentication Count: Ranks the Windows Domain Controllers and their users by the number of successful domain authentications

Top Windows Domain Controllers, Users By Failed Domain Authentication Count: Ranks the Windows Domain Controllers and the users by the number of failed authentications

Windows Domain Account Lockouts: Details windows domain account lockouts

Remote Desktop Connections to Domain Controller: Details successful remote desktop connections

Privileged Domain Controller Logon Attempts using the Administrator Account: Ranks the windows servers and their users by the number of failed logons using the administrator account

Failed Authentication Server Logons: Captures failed AAA Server Logons

Successful Authentication Server Logons: Captures successful AAA Server Logons

Server Access

Top Unix Servers, Users By Successful Logon Count: This report ranks the UNIX servers and their users by successful logon count

Top Unix Servers, Users By Failed Logon Count: This report ranks the UNIX servers and their users by failed logon count

Top Unix Servers, Users By Successful Privilege Escalation Count: This report ranks the UNIX servers and their users by successful privilege escalations (su) count

Top Unix Servers, Users By Failed Privilege Escalation Count: This report ranks the UNIX servers and their users by failed privilege escalations (su) count

Top Windows Servers, Users By Successful Logon Count: Ranks the Windows Servers and their users by the number of successful logons

Top Windows Servers, Users By Failed Logon Count: Ranks the Windows Servers and the users by the number of failed authentications

Windows Server Account Lockouts: Details windows server lockouts

Windows Server Account Unlocks: Captures account unlocks on windows servers. Account unlocks happen after lockouts that may happen on repeated login failures

Remote Desktop Connections to Windows Servers: Details successful remote desktop connections

Privileged Server Logon Attempts using the Administrator Account: Ranks the windows servers and their users by the number of failed logons using the administrator account

Application Access

Top FTP Clients By Unauthorized Access Error Count: Ranks FTP servers and their clients by the total number of unauthorized access error count

Top Web Visitors By Unauthorized Access Error Count: Ranks web servers and visitors by the total number of unauthorized access error count

Top Users By Successful Database Server Logons: Ranks database users by the number of successful logons

Top Users By Failed Database Server Logons: Ranks database users by the number of failed logons

Malware Reports

Virus found and remediated Captures events that indicate the viruses found and remediated – the events could be from Host Anti-virus or Network Security Gateways

Virus found but not remediated Captures events that indicate viruses found but failed to remedy – the events could be from Host Anti-virus or Network Security Gateways

Spyware found and remediated Captures events that indicate spyware was found and remediated on a host – the events could be from Host Anti-virus or Network Security Gateways

Spyware found but not remediated Captures events that indicate spyware was found but the detecting software failed to remediated the vulnerability – the events could be from Host Anti-virus or Network Security Gateways

Spam/Malicious Mail Attachment found and remediated Captures events that indicate spam or mailicious mail attachments were found and remediated on a host – the events could be from Host Anti-virus or Network Security Gateways

Spam/Malicious Mail Attachment found but not remediated Captures events that indicate spyware was found but the detecting software did not remediated the vulnerability

Phishing attempt found and remediated Captures events that indicate phishing attempt

Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

Top Computers with Malware Found By Antivirus and Security Gateways: Tracks computers with Malware as found by Host Anti-virus and Security Gateways

Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS – these are somewhat less reliable than Host Anti-virus and Security Gateways

Top IPs with Malware Found By Security Gateways: Tracks IP addresses with Malware as found by Security Gateways

Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities. Host Vulnerabilities discovered: Tracks vulnerabilities discovered on a host

Other Security Issues

Top Network IPS events By Severity, Count: Ranks the network IPS events by count

Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS

Rogue APs detected: Lists the rogue APs

Rogue AP Detection Details: Provides details of rogue AP events

Top WLAN IDS Alerts: Ranks WLAN IDS alerts

Multiple Distinct IPS Events From Same Src: Detects multiple IPS events from the same source IP in a short period of time – the source IP may have been infected

Multiple IPS Scans From Same Src: Detects multiple IPS scans from the same source IP in a short period of time.

High Risk Rating Cisco IPS Exploit: Detects a high risk rating IPS exploit event. This is applicable for Cisco IPS.

High Severity IPS Exploit: Detects a high severity IPS exploit detected by non-Cisco IPS

High Severity Security Exploit: Detects a high severity security exploit detected by non IPS devices

Network Traffic Analysis

Top Conversations By Bytes: Ranks the top conversations by total bytes. A conversation includes Source IP, Destination IP, Protocol and Destination Port.

Top Conversations By Bytes: Detailed View Ranks the top conversations by total bytes but also provides, sent Bytes and received Bytes as additional information. A conversation includes Source IP, Destination IP, Protocol and Destination Port.

Top Source IPs By Bytes Ranks the top source IPs by bytes

Top Source IPs By Bytes: Detailed View Ranks the top source IPs and destination ports by bytes

Top Destination IPs By Bytes Ranks the top destination IPs by bytes

Top Destination IPs By Bytes: Detailed View Ranks the top destination IPs and ports by bytes

Top Protocols By Bytes: Ranks the top protocols and destination ports by bytes

Top Protocols By Bytes: Detailed View: Ranks the top protocol and destination ports by bytes Top Router Link Usage By Bytes Ranks the top router link usage by bytes

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.