Skip to content
Threat Feed
medium advisory

FortiGate SSL VPN Login Followed by SIEM Alert

Detects FortiGate SSL VPN logins followed by a SIEM detection alert for the same user within a short timeframe, potentially indicating VPN abuse, credential compromise, or initial access followed by post-compromise activity.

This detection rule identifies instances where a user successfully logs into a FortiGate SSL VPN and is subsequently flagged by a SIEM alert within a 10-minute window. This sequence of events can indicate a compromised account being used to access the network remotely, followed by malicious activity triggering the SIEM. It can also highlight legitimate users engaging in risky behavior after establishing a VPN connection. The rule focuses on FortiGate SSL VPN events (event codes "0101039426" and "0101039427") correlated with any subsequent SIEM alert (excluding alerts originating from FortiGate logs or the correlation rule itself) with a risk score greater than 21. This correlation helps defenders quickly identify potentially malicious VPN usage. The original rule was published on 2026-03-23.

Attack Chain

  1. An attacker gains unauthorized access to valid user credentials through phishing, credential stuffing, or other means (T1078).
  2. The attacker uses the compromised credentials to successfully log in to a FortiGate SSL VPN, triggering a Fortinet authentication log event (event code "0101039426" or "0101039427").
  3. After gaining VPN access, the attacker attempts to move laterally within the network (T1021).
  4. The attacker executes malicious code on an internal system, such as a PowerShell script or a Cobalt Strike beacon (T1059).
  5. The malicious activity triggers a SIEM alert due to suspicious behavior like unusual network connections, file modifications, or registry changes (T1562).
  6. The SIEM alert is correlated with the preceding FortiGate VPN login based on the username within a 10-minute timeframe.
  7. The attacker establishes persistence on the compromised system (T1547).
  8. The attacker proceeds with their objectives, such as data exfiltration or ransomware deployment (TA0011).

Impact

A successful attack following this pattern can lead to significant damage, including data breaches, financial losses, and reputational damage. Compromised VPN access provides attackers with a privileged entry point into the internal network, allowing them to bypass perimeter security controls. Depending on the permissions of the compromised user, the attacker may be able to access sensitive data, disrupt critical systems, and move laterally to other high-value targets within the organization.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect FortiGate SSL VPN logins followed by SIEM alerts. Tune the rule's maxspan and risk_score thresholds to reduce false positives based on your environment.
  • Investigate any alerts generated by the Sigma rule, focusing on the activities performed by the user after the VPN login. Use the "Investigation Guide" tag in the original rule as a starting point for analysis.
  • Review FortiGate logs for unusual login patterns, such as logins from unfamiliar geographic locations or multiple failed login attempts followed by a successful login.
  • Implement multi-factor authentication (MFA) for all VPN users to reduce the risk of credential compromise.
  • Monitor SIEM alerts for indicators of lateral movement, such as unusual network connections, privilege escalation attempts, and suspicious process executions.

Detection coverage 2

FortiGate SSL VPN Login Followed by High-Risk SIEM Alert

medium

Detects a FortiGate SSL VPN login followed by a high-risk SIEM alert for the same user, potentially indicating compromised credentials or malicious activity.

sigma tactics: initial_access techniques: T1078 sources: authentication, fortinet

FortiGate Successful VPN Login

info

Detects successful FortiGate VPN logins, which can be used as a baseline for detecting suspicious activity.

sigma tactics: initial_access techniques: T1078 sources: authentication, fortinet

Detection queries are available on the platform. Get full rules →