FortiGate - User Group Modified

Original Source: [Sigma source]

Title: FortiGate - User Group Modified
Status: experimental
Description:Detects the modification of a user group on a Fortinet FortiGate Firewall. The group could be used to grant VPN access to a network.
References:
-https://www.fortiguard.com/psirt/FG-IR-24-535
-https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
-https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group
-https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
Author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
Date: 2025-11-01
modified:None
Tags:

-'attack.persistence'
-'attack.privilege-escalation'

Logsource:

product: fortigate
service: event

Detection:
selection:
action: 'Edit'
cfgpath: 'user.group'
condition:selection
Falsepositives:
-A group can be modified for legitimate purposes.
Level: medium

Sign Up to Personalize and Manage Your Detection

FortiGate - User Group Modified