FortiGate SSL VPN Login Followed by SIEM Alert by User

Last updated 5 days ago on 2026-02-20

Created 5 days ago on 2026-02-20

About

Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise used from a VPN session, or initial access via VPN followed by post-compromise behavior.

Tags

Use Case: Threat DetectionRule Type: Higher-Order RuleTactic: Initial AccessData Source: FortinetLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Valid Accounts (T1078)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-fortinet_fortigate.log-*.alerts-security.*
Related Integrations: fortinet_fortigate(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗sequence by user.name with maxspan=10m
 [authentication where event.dataset == "fortinet_fortigate.log" and event.action == "login" and event.code in ("0101039426", "0101039427")]
 [any where event.kind == "signal" and kibana.alert.rule.name != null and event.dataset != "fortinet_fortigate.log" and
  kibana.alert.risk_score > 21 and kibana.alert.rule.rule_id != "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e" and user.name != null]

Install detection rules in Elastic Security

Detect FortiGate SSL VPN Login Followed by SIEM Alert by User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).