FortiGate - New Administrator Account Created

Original Source: [Sigma source]

Title: FortiGate - New Administrator Account Created
Status: experimental
Description:Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
References:
-https://www.fortiguard.com/psirt/FG-IR-24-535
-https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
-https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin
-https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
Author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
Date: 2025-11-01
modified:None
Tags:

-'attack.persistence'
-'attack.t1136.001'

Logsource:

product: fortigate
service: event

Detection:
selection:
action: 'Add'
cfgpath: 'system.admin'
condition:selection
Falsepositives:
-An administrator account can be created for legitimate purposes. Investigate the account details to determine if it is authorized.
Level: medium

Sign Up to Personalize and Manage Your Detection

FortiGate - New Administrator Account Created