Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.6.3 Administration Guide
    7.6.3
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Geo-alerting event handlers

    Geo-alerting event handlers

    This topic describes the related logs and predefined event handlers that can be used for geo-alerting. These can be helpful for threat detection in scenarios such as multiple authentications to the same account from different geo locations or impossible travel between logins, indicating a likely breach.

    The predefined event handler rules that are created for geo-alerting rely on the following fields, which are available for all log types:

    • Source City (srccity)

    • Destination City (dstcity)

    • Source Country (srccountry)

    • Destination Country (dstcountry)

    These fields depend on the IP. When the IP is a public IP, the related city and country will display in the fields listed above. For example, see below.

    In other scenarios, the fields are displayed as follows:

    • When the IP is invalid, these fields are empty.

    • When there is no IP, these fields are empty.

    • When the IP is a private IP, these fields display Reserved.

    These source and destination fields can also be parsed to Fabric logs in the SIEM database. All predefined log parsers are updated to parse the srccity, dstcity, srccountry, and dstcountry fields into the normalized SIEM fields src_geo_city, src_geo_country, dst_geo_city, and dst_geo_country in Fabric logs.

    For example, see the Fabric logs with Source City, Source Country, Destination City, and Destination Country populated in the table view.

    The following predefined event handler includes multiple rules to detect suspicious login activities from different IPs/Countries:

    In addition to the event handler above, the following predefined event handler includes one rule for geo alerting as well:

    These event handlers are enabled by default. They use normalized Fabric logs to detect events.

    The following topology was used for the examples below.

    Default-Multiple-Authentications-to-the-Same-Account

    Default-Multiple-Authentications-to-the-Same-Account is a basic event handler detects multiple failed or successful authentication attempts to the same network device or domain using the same account but originating from different IP addresses or geo locations.

    This event handler uses the predefined data selector Default Microsoft Windows Security Auditing Log to ensure the proper devices and logs are used to trigger events.

    MITRE coverage:

    • MITRE Tech ID = T1078 Valid Accounts.

    Rule details:

    Rules

    Description

    Authentication to the Same Device from Different Public IPs

    Triggers an event when a user has four failed or successful authentications to the same device from different public IPs within 30 minutes.

    Event Severity: Medium

    Log Field: Host Name, User Name

    Log Filter by Text: 

    (event_id = '4624' or event_id = '4625') and src_geo != '0' and src_geo != '1000000000'

    Event Message: Authentication attempts on host: $groupby1 by user: $groupby2 from different public IP addresses

    Tags: ValidAccounts

    Additional Info: Authentication for application: ${app_ref}

    Note

    Using Windows logs, event ID 4624 indicates a successful login and event ID 4625 indicates a failed login.

    Authentication to the Same Domain from Different Public IPs

    Triggers an event when a user has four failed or successful authentications to the same domain from different public IPs within 30 minutes.

    Event Severity: Medium

    Log Field: Destination Domain, User Name

    Log Filter by Text: 

    (event_id = '4624' or event_id = '4625') and src_geo != '0' and src_geo != '1000000000'

    Event Message: Authentication attempts to domain: $groupby1 by user: $groupby2 from different public IP Addresses

    Tags: ValidAccounts

    Additional Info: Authentication for application: ${app_ref}

    Authentication to the Same Device from Different Geo Locations

    Triggers an event when a user has three failed or successful authentications to the same device from different countries within one hour.

    Event Severity: Critical

    Log Field: Host Name, User Name

    Log Filter by Text: 

    (event_id = '4624' or event_id = '4625') and src_geo != '0' and src_geo != '1000000000'

    Event Message: Authentication attempts on host: $groupby1 by user: $groupby2 from different Geo Locations

    Tags: ValidAccounts

    Additional Info: Authentication for application: ${app_ref}

    Authentication to the Same Domain from Different Geo Locations

    Triggers an event when a user has three failed or successful authentications to the same domain from different countries within one hour.

    Event Severity: Critical

    Log Field: Destination Domain, User Name

    Log Filter by Text: 

    (event_id = '4624' or event_id = '4625') and src_geo != '0' and src_geo != '1000000000'

    Event Message: Authentication attempts to domain: $groupby1 by user: $groupby2 from different Geo Locations

    Tags: ValidAccounts

    Additional Info: Authentication for application: ${app_ref}

    Events triggered by this event handler are visible in the Event Monitor:

    You can double-click an event to view the related logs. In this example, there is login activity from multiple countries for a single user to the MS Exchange Server.

    ZTNA Login Anomaly Detection: Impossible Travel Login Detection

    You can find the Impossible Travel Login Detection rule in the predefined ZTNA Login Anomaly Detection event handler.

    Note

    For this rule to trigger events, you must also have a FortiAuthenticator configured in your network and logging to FortiAnalyzer.

    Rule details:

    Rule

    Description

    Impossible Travel Login Detection

    Event Severity: High

    Log Field: UEBA User ID

    Log Filter by Text: 

    data_sourcetype='FortiAuthenticator' and euid>1024 and app_state='Success' and event_subtype='Authentication' and event_action='Authentication'

    Trigger an event when (Advanced Mode):

    GEO_DISTANCE(1, 'km') alias geo_distance > TIME_DIFF(1, 'hour') alias time_diff * (geo_distance > 400 ? then 1400 else 100) and geo_distance > 200 and time_diff > 0.1 and not cellular and not cloud and not usual_locations

    Event Type Override: Auth

    Event Message: Impossible travel login detected for user: ${event.user_name}

    Event Status: Unhandled

    Tags: ZTNA, Login, Geo, ImpossibleTravel, Auth

    Indicators:

    Log field

    Indicator Type

    Count

    ${src_geo_city} ${src_geo_country}

    		Others 6
    Source IP (src_ip) IP 6

    Additional Info: User ${event.user_name} logged in from ${event.src_geo_city} ${event.src_geo_country}. The previous login was from ${last_event.src_geo_city} ${last_event.src_geo_country}. The distance between the two locations is ${rule.alias.geo_distance}, with a time difference of less than ${event.time_diff_threshold}.

    The table below describes the individual conditions set in Advanced Mode to trigger an event. All of the conditions must be met to trigger an event.

    Condition

    Description

    Geo Distance vs. Speed Threshold

    Criteria: geo_distance > time_diff * (geo_distance > 400 ? then 1400 else 100)

    The geo distance between two logins (geo_distance) must exceed the product of the time difference (time_diff) and an adaptive speed threshold:

    • If geo_distance greater than 400km, then the allowed speed is up to 1400 km/h.

    • If geo_distance less than or equal to 400km, then the allowed speed is up to 100 km/h.

    Minimum Geo Distance

    Criteria: geo_distance > 200

    To avoid triggering events for short-range travel, the geo distance must be greater than 200km.

    Minimum Time Difference

    Criteria: time_diff > 0.1

    The time difference between the two login events must be greater than 0.1 hour (approximately 6 minutes).

    Not from Cellular IPs

    Criteria: not cellular

    The source IP must not belong to a cellular connection.

    Not from Cloud IPs

    Criteria: not cloud

    The source IP must not belong to cloud providers, such as AWS, Azure, or GCP as they can appear to be far from the actual user locations.

    Not from Usual Locations

    Criteria: not usual_locations

    The geo location must not be a usual location for the user. A location is considered usual if the user has accessed it three or more times in the last 30 days.

    Not a Private IP

    Private IP addresses are excluded by default from the distance calculation when searching the database.
    Tooltip

    If appropriate for your environment, you can clone the event handler and remove the following conditions in the Advanced Mode field according to your needs:

    • not cellular

    • not cloud

    • not usual_locations

    • not privateIP

    You can find the related events in the Event Monitor:

    The Event Monitor displays the customized event message, including the username in the Event column. The event status, severity, type, and tags are also included in their respective columns. Additionally, using the additional info confugured in the rule, the Additional Info column provides further information about the event at a glance.

    Right-click an event in the Event Monitor and select View Logs to display the consecutive logs:

    Right-click an event in the Event Monitor and select Search in Log View to display all the related logs:

    This rule is also configured to create indicators to display the previous login and new login location. If the alert is updated, you can also see the new geo-login information in the indicator as well.

    In Event Monitor, you can include the Indicators column to view the indicators related to these events.

    Click a link in this column to display the Indicators pane with more information. For example, see the Indicators pane below which displays the previous and current login:

    To enable, disable, and troubleshoot the geo location function in the FortiAnalyzer CLI:

    You can use the following commands to enable, disable, and troubleshoot the geo location function in FortiAnalyzer.

    Command to enable the geo location function:

    diagnose test application sqllogd 231 .geolocation enable

    Command to disable the geo location function:

    diagnose test application sqllogd 231 .geolocation disable

    Other related commands:

      # diagnose test application sqllogd 231

    Geo-Location diag usage:
    info                      geoip cache info
    countrylist               list all country names
    ip4dump                   dump ip4 ranges
    ip6dump                   dump ip6 ranges
    ip                        find IP's country
    fgt-cfg-cache             dump fgt-geo-cfg-cache info
    Previous
    Next

    Geo-alerting event handlers

    Geo-alerting event handlers

    This topic describes the related logs and predefined event handlers that can be used for geo-alerting. These can be helpful for threat detection in scenarios such as multiple authentications to the same account from different geo locations or impossible travel between logins, indicating a likely breach.

    The predefined event handler rules that are created for geo-alerting rely on the following fields, which are available for all log types:

    • Source City (srccity)

    • Destination City (dstcity)

    • Source Country (srccountry)

    • Destination Country (dstcountry)

    These fields depend on the IP. When the IP is a public IP, the related city and country will display in the fields listed above. For example, see below.

    In other scenarios, the fields are displayed as follows:

    • When the IP is invalid, these fields are empty.

    • When there is no IP, these fields are empty.

    • When the IP is a private IP, these fields display Reserved.

    These source and destination fields can also be parsed to Fabric logs in the SIEM database. All predefined log parsers are updated to parse the srccity, dstcity, srccountry, and dstcountry fields into the normalized SIEM fields src_geo_city, src_geo_country, dst_geo_city, and dst_geo_country in Fabric logs.

    For example, see the Fabric logs with Source City, Source Country, Destination City, and Destination Country populated in the table view.

    The following predefined event handler includes multiple rules to detect suspicious login activities from different IPs/Countries:

    In addition to the event handler above, the following predefined event handler includes one rule for geo alerting as well:

    These event handlers are enabled by default. They use normalized Fabric logs to detect events.

    The following topology was used for the examples below.

    Default-Multiple-Authentications-to-the-Same-Account

    Default-Multiple-Authentications-to-the-Same-Account is a basic event handler detects multiple failed or successful authentication attempts to the same network device or domain using the same account but originating from different IP addresses or geo locations.

    This event handler uses the predefined data selector Default Microsoft Windows Security Auditing Log to ensure the proper devices and logs are used to trigger events.

    MITRE coverage:

    • MITRE Tech ID = T1078 Valid Accounts.

    Rule details:

    Rules

    Description

    Authentication to the Same Device from Different Public IPs

    Triggers an event when a user has four failed or successful authentications to the same device from different public IPs within 30 minutes.

    Event Severity: Medium

    Log Field: Host Name, User Name

    Log Filter by Text: 

    (event_id = '4624' or event_id = '4625') and src_geo != '0' and src_geo != '1000000000'

    Event Message: Authentication attempts on host: $groupby1 by user: $groupby2 from different public IP addresses

    Tags: ValidAccounts

    Additional Info: Authentication for application: ${app_ref}

    Note

    Using Windows logs, event ID 4624 indicates a successful login and event ID 4625 indicates a failed login.

    Authentication to the Same Domain from Different Public IPs

    Triggers an event when a user has four failed or successful authentications to the same domain from different public IPs within 30 minutes.

    Event Severity: Medium

    Log Field: Destination Domain, User Name

    Log Filter by Text: 

    (event_id = '4624' or event_id = '4625') and src_geo != '0' and src_geo != '1000000000'

    Event Message: Authentication attempts to domain: $groupby1 by user: $groupby2 from different public IP Addresses

    Tags: ValidAccounts

    Additional Info: Authentication for application: ${app_ref}

    Authentication to the Same Device from Different Geo Locations

    Triggers an event when a user has three failed or successful authentications to the same device from different countries within one hour.

    Event Severity: Critical

    Log Field: Host Name, User Name

    Log Filter by Text: 

    (event_id = '4624' or event_id = '4625') and src_geo != '0' and src_geo != '1000000000'

    Event Message: Authentication attempts on host: $groupby1 by user: $groupby2 from different Geo Locations

    Tags: ValidAccounts

    Additional Info: Authentication for application: ${app_ref}

    Authentication to the Same Domain from Different Geo Locations

    Triggers an event when a user has three failed or successful authentications to the same domain from different countries within one hour.

    Event Severity: Critical

    Log Field: Destination Domain, User Name

    Log Filter by Text: 

    (event_id = '4624' or event_id = '4625') and src_geo != '0' and src_geo != '1000000000'

    Event Message: Authentication attempts to domain: $groupby1 by user: $groupby2 from different Geo Locations

    Tags: ValidAccounts

    Additional Info: Authentication for application: ${app_ref}

    Events triggered by this event handler are visible in the Event Monitor:

    You can double-click an event to view the related logs. In this example, there is login activity from multiple countries for a single user to the MS Exchange Server.

    ZTNA Login Anomaly Detection: Impossible Travel Login Detection

    You can find the Impossible Travel Login Detection rule in the predefined ZTNA Login Anomaly Detection event handler.

    Note

    For this rule to trigger events, you must also have a FortiAuthenticator configured in your network and logging to FortiAnalyzer.

    Rule details:

    Rule

    Description

    Impossible Travel Login Detection

    Event Severity: High

    Log Field: UEBA User ID

    Log Filter by Text: 

    data_sourcetype='FortiAuthenticator' and euid>1024 and app_state='Success' and event_subtype='Authentication' and event_action='Authentication'

    Trigger an event when (Advanced Mode):

    GEO_DISTANCE(1, 'km') alias geo_distance > TIME_DIFF(1, 'hour') alias time_diff * (geo_distance > 400 ? then 1400 else 100) and geo_distance > 200 and time_diff > 0.1 and not cellular and not cloud and not usual_locations

    Event Type Override: Auth

    Event Message: Impossible travel login detected for user: ${event.user_name}

    Event Status: Unhandled

    Tags: ZTNA, Login, Geo, ImpossibleTravel, Auth

    Indicators:

    Log field

    Indicator Type

    Count

    ${src_geo_city} ${src_geo_country}

    		Others 6
    Source IP (src_ip) IP 6

    Additional Info: User ${event.user_name} logged in from ${event.src_geo_city} ${event.src_geo_country}. The previous login was from ${last_event.src_geo_city} ${last_event.src_geo_country}. The distance between the two locations is ${rule.alias.geo_distance}, with a time difference of less than ${event.time_diff_threshold}.

    The table below describes the individual conditions set in Advanced Mode to trigger an event. All of the conditions must be met to trigger an event.

    Condition

    Description

    Geo Distance vs. Speed Threshold

    Criteria: geo_distance > time_diff * (geo_distance > 400 ? then 1400 else 100)

    The geo distance between two logins (geo_distance) must exceed the product of the time difference (time_diff) and an adaptive speed threshold:

    • If geo_distance greater than 400km, then the allowed speed is up to 1400 km/h.

    • If geo_distance less than or equal to 400km, then the allowed speed is up to 100 km/h.

    Minimum Geo Distance

    Criteria: geo_distance > 200

    To avoid triggering events for short-range travel, the geo distance must be greater than 200km.

    Minimum Time Difference

    Criteria: time_diff > 0.1

    The time difference between the two login events must be greater than 0.1 hour (approximately 6 minutes).

    Not from Cellular IPs

    Criteria: not cellular

    The source IP must not belong to a cellular connection.

    Not from Cloud IPs

    Criteria: not cloud

    The source IP must not belong to cloud providers, such as AWS, Azure, or GCP as they can appear to be far from the actual user locations.

    Not from Usual Locations

    Criteria: not usual_locations

    The geo location must not be a usual location for the user. A location is considered usual if the user has accessed it three or more times in the last 30 days.

    Not a Private IP

    Private IP addresses are excluded by default from the distance calculation when searching the database.
    Tooltip

    If appropriate for your environment, you can clone the event handler and remove the following conditions in the Advanced Mode field according to your needs:

    • not cellular

    • not cloud

    • not usual_locations

    • not privateIP

    You can find the related events in the Event Monitor:

    The Event Monitor displays the customized event message, including the username in the Event column. The event status, severity, type, and tags are also included in their respective columns. Additionally, using the additional info confugured in the rule, the Additional Info column provides further information about the event at a glance.

    Right-click an event in the Event Monitor and select View Logs to display the consecutive logs:

    Right-click an event in the Event Monitor and select Search in Log View to display all the related logs:

    This rule is also configured to create indicators to display the previous login and new login location. If the alert is updated, you can also see the new geo-login information in the indicator as well.

    In Event Monitor, you can include the Indicators column to view the indicators related to these events.

    Click a link in this column to display the Indicators pane with more information. For example, see the Indicators pane below which displays the previous and current login:

    To enable, disable, and troubleshoot the geo location function in the FortiAnalyzer CLI:

    You can use the following commands to enable, disable, and troubleshoot the geo location function in FortiAnalyzer.

    Command to enable the geo location function:

    diagnose test application sqllogd 231 .geolocation enable

    Command to disable the geo location function:

    diagnose test application sqllogd 231 .geolocation disable

    Other related commands:

      # diagnose test application sqllogd 231

    Geo-Location diag usage:
    info                      geoip cache info
    countrylist               list all country names
    ip4dump                   dump ip4 ranges
    ip6dump                   dump ip6 ranges
    ip                        find IP's country
    fgt-cfg-cache             dump fgt-geo-cfg-cache info
    Previous
    Next