Samirbous a2c1dd8575 [New] Suspicious FortiGate and Fortinet Logon rules (#5640) ...

* [New] Suspicious FortiGate Admin Logon rules

- First-Time FortiGate Administrator Login
- FortiGate Administrator Login from Multiple IP Addresses

* Update initial_access_fortigate_admin_login_multi_srcip.toml

* ++

* ++

* Create initial_access_newly_observed_frotinet_logon.toml

* Update initial_access_newly_observed_frotinet_logon.toml

* build schema and manifest for fortinet

* Update pyproject.toml

* Update initial_access_newly_observed_frotinet_logon.toml

* Revert "Update initial_access_newly_observed_frotinet_logon.toml"

This reverts commit 7b99828b9a28a8ad9cd156fbe33c92ea436041e0.

* Revert "Update pyproject.toml"

This reverts commit 025daf566fa1f2d7dffd83717f5a70a8285d62ca.

* Revert "build schema and manifest for fortinet"

This reverts commit a6234164f827b65a3d4b7580ef647bfefc34b658.

* ++

2026-01-28 17:56:56 +00:00

..

command_and_control_accepted_default_telnet_port_connection.toml

[Rule Tuning] Accepted Default Telnet Port Connection (#5629)

2026-01-26 20:43:23 -05:00

command_and_control_cobalt_strike_beacon.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

command_and_control_cobalt_strike_default_teamserver_cert.toml

[Rule Tuning] Reduce Severity from Critical to High (#4637)

2025-05-06 21:37:47 +05:30

command_and_control_download_rar_powershell_from_internet.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

command_and_control_fin7_c2_behavior.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

command_and_control_halfbaked_beacon.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

command_and_control_nat_traversal_port_activity.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

command_and_control_port_26_activity.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

command_and_control_vnc_virtual_network_computing_from_the_internet.toml

Refresh ecs, beats, integration manifests & schemas (#4699)

2025-05-05 23:06:40 +05:30

command_and_control_vnc_virtual_network_computing_to_the_internet.toml

Refresh ecs, beats, integration manifests & schemas (#4699)

2025-05-05 23:06:40 +05:30

discovery_potential_network_sweep_detected.toml

[Rule Tuning] Remove hardcoded logic from description (#4503)

2025-02-28 14:38:18 -03:00

discovery_potential_port_scan_detected.toml

Update discovery_potential_port_scan_detected.toml (#5571)

2026-01-16 23:21:12 -03:00

discovery_potential_syn_port_scan_detected.toml

[Rule Tuning] Remove hardcoded logic from description (#4503)

2025-02-28 14:38:18 -03:00

initial_access_fortigate_admin_login_multi_srcip.toml

[New] Suspicious FortiGate and Fortinet Logon rules (#5640)

2026-01-28 17:56:56 +00:00

initial_access_newly_observed_fortigate_admin_logon.toml

[New] Suspicious FortiGate and Fortinet Logon rules (#5640)

2026-01-28 17:56:56 +00:00

initial_access_react_server_components_rce_attempt.toml

[New Rule] React2Shell Detection (#5408)

2025-12-05 18:37:54 -05:00

initial_access_react_server_rce_network_alerts.toml

[New] React2Shell Network Security Alert (#5445)

2025-12-19 12:22:44 +00:00

initial_access_rpc_remote_procedure_call_from_the_internet.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

initial_access_rpc_remote_procedure_call_to_the_internet.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

initial_access_smb_windows_file_sharing_activity_to_the_internet.toml

[Tuning] SMB (Windows File Sharing) Activity to the Internet (#5533)

2026-01-08 18:52:09 -03:00

initial_access_unsecure_elasticsearch_node.toml

[FR] Generate investigation guides (#4358)

2025-01-22 11:17:38 -06:00

lateral_movement_dns_server_overflow.toml

Back-porting Version Trimming (#3704)

2024-05-23 00:45:10 +05:30