Elastic Security Detection Rules

FortiGate FortiCloud SSO Login from Unusual Source

Last updated 6 days ago on 2026-01-28
Created 6 days ago on 2026-01-28

About

This rule detects the first successful FortiCloud SSO login from a previously unseen source IP address to a FortiGate device within the last 5 days. FortiCloud SSO logins from new source IPs may indicate exploitation of SAML-based authentication bypass vulnerabilities such as CVE-2026-24858, where crafted SAML assertions allow unauthorized access to FortiGate devices registered to other accounts. Environments that regularly use FortiCloud SSO will only alert on new source IPs not seen in the lookback window.
Tags
Use Case: Threat DetectionTactic: Initial AccessDomain: NetworkDomain: IdentityData Source: FortinetData Source: Fortinet FortiGateLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

fortinet_fortigate(external, opens in a new tab or window)

Query
text code block:
FROM logs-fortinet_fortigate.* metadata _id, _version, _index

| WHERE event.dataset == "fortinet_fortigate.log" and
        event.category == "authentication" and event.action == "login" and
        event.outcome == "success" and
        (fortinet.firewall.method == "sso" or fortinet.firewall.ui like "sso*") and
        source.ip is not null
| STATS Esql.logon_count = COUNT(*),
        Esql.first_time_seen = MIN(@timestamp),
        Esql.user_values = VALUES(source.user.name),
        Esql.observer_name_values = VALUES(observer.name),
        Esql.message_values = VALUES(message) BY source.ip

// first time seen is within 6m of the rule execution time and for the last 5d of events history
| EVAL Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
| WHERE Esql.recent <= 6 AND Esql.logon_count == 1

// move dynamic fields to ECS equivalent for rule exceptions
| EVAL source.user.name = MV_FIRST(Esql.user_values)

| KEEP source.ip, source.user.name, Esql.*

Install detection rules in Elastic Security

Detect FortiGate FortiCloud SSO Login from Unusual Source in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).