FortiGate - Firewall Address Object Added

Original Source: [Sigma source]

Title: FortiGate - Firewall Address Object Added
Status: experimental
Description:Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.
References:
-https://www.fortiguard.com/psirt/FG-IR-24-535
-https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
-https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/306021697/config-firewall-address
-https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
Author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
Date: 2025-11-01
modified:None
Tags:

-'attack.defense-evasion'
-'attack.t1562'

Logsource:

product: fortigate
service: event

Detection:
selection:
action: 'Add'
cfgpath: 'firewall.address'
condition:selection
Falsepositives:
-An address could be added or deleted for legitimate purposes.
Level: medium

Sign Up to Personalize and Manage Your Detection

FortiGate - Firewall Address Object Added