[Rule Tuning] First-Time FortiGate Administrator Login

[JoeySec]

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/network/initial_access_newly_observed_fortigate_admin_logon.toml

Rule Tuning Type

None

Description

Add the Admin profile name for Administrator login event to support easy identification in the alert of the group the identity logged into. When custom FortiGate Admin Profiles are used, this can be helpful to identify the potential scope of the access. This field can be used for any exceptions desired for specific groups, or to adjust the severity.

For the stats section starting in line 88-91

detection-rules/rules/network/initial_access_newly_observed_fortigate_admin_logon.toml

Lines 88 to 91 in f0467c8

	| stats Esql.logon_count = count(*),
	Esql.first_time_seen = MIN(@timestamp),
	Esql.source_ip_values = VALUES(source.ip),
	Esql.message_values = VALUES(message) by source.user.name

Add

Esql.fortinet_firewall_profiles = VALUES(fortinet.firewwall.profile)

Example Data

Default Admin Group
From log source:
fortinet.firewall.profile: super_admin
In alert:
Esql.fortinet_firewall_profiles: super_admin
Custom Group
From log source:
fortinet.firewall.profile: read_only_admin
In alert:
Esql.fortinet_firewall_profiles: read_only_admin

[eric-forte-elastic]

@JoeySec thanks for the great detail in this request! I will be taking a look shortly.

[eric-forte-elastic]

@JoeySec I expect we are going to update the rule to include this field.

One thing to note, is that to use rule exceptions with ES|QL rules one will generally only be able to run exclusions against ECS fields. As such, one will need to map the additional field back to an ECS field using an additional line like the following:

| eval user.roles = Esql.fortinet_firewall_profiles

And then add the user.roles to the keep.

I expect we will likely not add this eval line to the rule PR and you would need to customize the rule to add this. However, if we do add this eval like then I will add an update this thread.

[eric-forte-elastic]

Update, we are populating the fortinet_firewall_profiles using a stats by command instead, which should provide the field in a suitable way for adding exceptions without the above issue.