Detectionmediumexperimental
FortiGate - User Group Modified
Detects the modification of a user group on a Fortinet FortiGate Firewall. The group could be used to grant VPN access to a network.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
fortigateevent
Productfortigate← raw: fortigate
Serviceevent← raw: event
Detection Logic
Detection Logic1 selector
detection:
selection:
action: 'Edit'
cfgpath: 'user.group'
condition: selectionFalse Positives
A group can be modified for legitimate purposes.
MITRE ATT&CK
Rule Metadata
Rule ID
69ffc84e-8b1a-4024-8351-e018f66b8275
Status
experimental
Level
medium
Type
Detection
Created
Sat Nov 01
Path
rules/network/fortinet/fortigate/fortinet_fortigate_user_group_modified.yml
Raw Tags
attack.persistenceattack.privilege-escalation