FortiGate - VPN SSL Settings Modified

Original Source: [Sigma source]
Title: FortiGate - VPN SSL Settings Modified
Status: experimental
Description:Detects the modification of VPN SSL Settings (for example, the modification of authentication rules). This behavior was observed in pair with the addition of a VPN SSL Web Portal.
References:
  -https://www.fortiguard.com/psirt/FG-IR-24-535
   -https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
   -https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings
   -https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44546/44546-logid-event-config-attr
 Author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
Date: 2025-11-01
modified:None
Tags:
  • -'attack.persistence'
  • -'attack.initial-access'
  • -'attack.t1133'
Logsource:
  • product: fortigate
  • service: event
Detection:
  selection:
    action: 'Edit'
    cfgpath: 'vpn.ssl.settings'
  condition:selection
Falsepositives:
  -VPN SSL settings can be changed for legitimate purposes.
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.