security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dev-v1.5.40
sigma-rules/rules/network
T
History
Terrance DeJesus ae88c095e9 [New Rule] Fortigate (FG-IR-26-060) Detections (#5641) 
* initial FG-IR-26-060 rules

* adjusted investigation guides to proper formatting

* Update initial_access_fortigate_sso_login_from_unusual_source.toml

* Update and rename exfiltration_fortigate_config_download.toml to collection_fortigate_config_download.toml

* Update collection_fortigate_config_download.toml

* Apply suggestion from @Samirbous

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestion from @Samirbous

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestion from @Samirbous

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestion from @Samirbous

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* adjusting rules

* revert super admin

* adjusted source.ip to 'fortinet.firewall.ui'

* changing ESQL to EQL for non-aggregate queries

* added CISA reference

* adjusted interval and maxspan

* updating dates

* changed download rule to EQL

* added additional sso checks; linted previous rules

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
2026-01-30 10:16:34 -05:00
..
collection_fortigate_config_download.toml
[New Rule] Fortigate (FG-IR-26-060) Detections (#5641)
2026-01-30 10:16:34 -05:00
command_and_control_accepted_default_telnet_port_connection.toml
[Rule Tuning] Accepted Default Telnet Port Connection (#5629)
2026-01-26 20:43:23 -05:00
command_and_control_cobalt_strike_beacon.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
command_and_control_cobalt_strike_default_teamserver_cert.toml
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
command_and_control_download_rar_powershell_from_internet.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
command_and_control_fin7_c2_behavior.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
command_and_control_halfbaked_beacon.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
command_and_control_nat_traversal_port_activity.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
command_and_control_port_26_activity.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
command_and_control_vnc_virtual_network_computing_from_the_internet.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
command_and_control_vnc_virtual_network_computing_to_the_internet.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
defense_evasion_fortigate_overly_permissive_firewall_policy.toml
[New Rule] Fortigate (FG-IR-26-060) Detections (#5641)
2026-01-30 10:16:34 -05:00
discovery_potential_network_sweep_detected.toml
[Rule Tuning] Remove hardcoded logic from description (#4503)
2025-02-28 14:38:18 -03:00
discovery_potential_port_scan_detected.toml
Update discovery_potential_port_scan_detected.toml (#5571)
2026-01-16 23:21:12 -03:00
discovery_potential_syn_port_scan_detected.toml
[Rule Tuning] Remove hardcoded logic from description (#4503)
2025-02-28 14:38:18 -03:00
initial_access_fortigate_admin_login_multi_srcip.toml
[New Rule] Fortigate (FG-IR-26-060) Detections (#5641)
2026-01-30 10:16:34 -05:00
initial_access_fortigate_sso_login_from_unusual_source.toml
[New Rule] Fortigate (FG-IR-26-060) Detections (#5641)
2026-01-30 10:16:34 -05:00
initial_access_newly_observed_fortigate_admin_logon.toml
[New Rule] Fortigate (FG-IR-26-060) Detections (#5641)
2026-01-30 10:16:34 -05:00
initial_access_react_server_components_rce_attempt.toml
[New Rule] React2Shell Detection (#5408)
2025-12-05 18:37:54 -05:00
initial_access_react_server_rce_network_alerts.toml
[New] React2Shell Network Security Alert (#5445)
2025-12-19 12:22:44 +00:00
initial_access_rpc_remote_procedure_call_from_the_internet.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
initial_access_rpc_remote_procedure_call_to_the_internet.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
[Tuning] SMB (Windows File Sharing) Activity to the Internet (#5533)
2026-01-08 18:52:09 -03:00
initial_access_unsecure_elasticsearch_node.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
lateral_movement_dns_server_overflow.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_fortigate_admin_creation_unusual_source.toml
[New Rule] Fortigate (FG-IR-26-060) Detections (#5641)
2026-01-30 10:16:34 -05:00
persistence_fortigate_sso_login_followed_by_admin_creation.toml
[New Rule] Fortigate (FG-IR-26-060) Detections (#5641)
2026-01-30 10:16:34 -05:00
persistence_fortigate_super_admin_account_creation.toml
[New Rule] Fortigate (FG-IR-26-060) Detections (#5641)
2026-01-30 10:16:34 -05:00