Detectionmediumexperimental
FortiGate - New Firewall Policy Added
Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
fortigateevent
Productfortigate← raw: fortigate
Serviceevent← raw: event
Detection Logic
Detection Logic1 selector
detection:
selection:
action: 'Add'
cfgpath: 'firewall.policy'
condition: selectionFalse Positives
A firewall policy can be added for legitimate purposes.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
f24ab7a8-f09a-4319-82c1-915586aa642b
Status
experimental
Level
medium
Type
Detection
Created
Sat Nov 01
Path
rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_policy_added.yml
Raw Tags
attack.defense-evasionattack.t1562