Detectionmediumexperimental
FortiGate - Firewall Address Object Added
Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
fortigateevent
Productfortigate← raw: fortigate
Serviceevent← raw: event
Detection Logic
Detection Logic1 selector
detection:
selection:
action: 'Add'
cfgpath: 'firewall.address'
condition: selectionFalse Positives
An address could be added or deleted for legitimate purposes.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
5c8d7b41-3812-432f-a0bb-4cfb7c31827e
Status
experimental
Level
medium
Type
Detection
Created
Sat Nov 01
Path
rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_address_object.yml
Raw Tags
attack.defense-evasionattack.t1562