FortiGate SSL VPN Login Followed by SIEM Alert by User

[metadata]
creation_date = "2026/02/20"
integration = ["fortinet_fortigate"]
maturity = "production"
updated_date = "2026/04/10"

[rule]
author = ["Elastic"]
description = """
Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a
short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise
used from a VPN session, or initial access via VPN followed by post-compromise behavior.
"""
from = "now-9m"
index = ["logs-fortinet_fortigate.log-*", ".alerts-security.*"]
language = "eql"
license = "Elastic License v2"
name = "FortiGate SSL VPN Login Followed by SIEM Alert by User"
references = [
    "https://attack.mitre.org/tactics/TA0001/",
    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
]
risk_score = 47
rule_id = "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e"
severity = "medium"
tags = [
    "Use Case: Threat Detection",
    "Rule Type: Higher-Order Rule",
    "Tactic: Initial Access",
    "Data Source: Fortinet",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
sequence by user.name with maxspan=10m
 [authentication where data_stream.dataset == "fortinet_fortigate.log" and event.action == "login" and event.code in ("0101039426", "0101039427") and
  user.name != "root"]
 [any where event.kind == "signal" and kibana.alert.rule.name != null and data_stream.dataset != "fortinet_fortigate.log" and
  kibana.alert.risk_score > 21 and kibana.alert.rule.rule_id != "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e" and user.name != null]
'''
note = """## Triage and analysis

### Investigating FortiGate SSL VPN Login Followed by SIEM Alert by User

This rule correlates a FortiGate SSL VPN login with a subsequent security alert for the same user name, highlighting possible abuse of VPN access or activity shortly after remote access.

### Possible investigation steps

- Review the FortiGate login event (source IP, user, time) and the SIEM alert(s) that followed for the same user.
- Determine whether the user is expected to use VPN and whether the subsequent alert is related to legitimate work (e.g. admin tools, updates).
- Check for other alerts or logins for the same user in the same time window to assess scope.
- Correlate with authentication logs to identify impossible travel or credential reuse from the VPN session.

### False positive analysis

- Legitimate VPN users triggering detections (e.g. scripted tasks, admin tooling) after login.
- Security scans or automated jobs that run in the context of a VPN-authenticated user.

### Response and remediation

- If abuse or compromise is suspected, disable or reset the user’s VPN access and credentials.
- Investigate the host and process associated with the SIEM alert.
- Escalate to the security or incident response team if the alert indicates malicious activity.
"""


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"


[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"