Login templates
Templates for building policies based on user login events.
Failed login attempt
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 4.2.0 or later, Windows
Detects when a user exceeds the maximum number of failed login attempts within a given time period.
|
Subsequent detections and actions for the same user and remote address will not be generated until the configured time window has elapsed. |
| Parameter | Type | Description |
|---|---|---|
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to log in. Case-insensitive matching is used. |
| User security identifiers (SID) | Advanced asset list | A list of user security identifiers (SID) authorized or unauthorized to log in. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to log in. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Connection parameters | ||
| Remote IP addresses | Advanced asset list | A list of IP address in CIDR format authorized or unauthorized to log in. |
| Login parameters | ||
| Maximum permitted failed login attempts | Integer | The maximum number of failed login attempts allowed during the given time period. |
| Time window (in seconds) | Integer | The number of seconds during which the maximum number of failed login attempts must be exceeded. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0006 (Credential Access)
attack.mitre.org/tactics/TA0006/ |
T1110 (Brute Force)
attack.mitre.org/techniques/T1110/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by source IP | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Login outside office hours
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 7.4.0 or later
Detects when a user logs in outside of expected working hours.
| Parameter | Type | Description |
|---|---|---|
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to log in. Case-insensitive matching is used. |
| User security identifiers (SID) | Advanced asset list | A list of user identifiers (SID on Windows and UID on Linux and macOS) authorized or unauthorized to log in. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to log in. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Connection parameters | ||
| Remote IP addresses | Advanced asset list | A list of IP address in CIDR format authorized or unauthorized to log in. |
| Expected hour parameters | ||
| List of days off | String list | A list of non-working days. This list can be empty, which would indicate that every day of the week is a working day. |
| Start time | String | The start time of the work day in 24-hour format (HH:MM). Times are in the FortiDLP Agent's local timezone. |
| End time | String | The end time of the work day in 24-hour format (HH:MM). Times are in the FortiDLP Agent's local timezone. |
| Machine learning parameters | ||
| Use machine learning model | Boolean | The toggle to enable/disable using machine learning to detect users' working hours. If enabled, the model automatically learns the working hours of individual users, and detects login activity outside these hours. The "List of days off", "Start time", and "End time" parameters will not be used when machine learning is enabled. |
| Training period (days) | Integer | The time period (in days) during which normal user login activity is learned by the machine learning model. No detections will be generated during this period. The FortiDLP Agent will continue to learn from user login activity after this period. |
| Treat screen locking as logging out | Boolean | The toggle to enable/disable detecting of users manually locking their computer screens, where a screen lock is considered to be a logout. If this toggle is turned on and a user locks their screen, this is treated as a logout and the period from then until the next login is considered to be a period of inactivity. If this toggle is turned off and a user locks their screen, the user will be considered logged in and the Agent will learn to identify this period as expected user activity. |
| Outlier threshold | Float | The threshold value for the machine learning model to detect logins outside of working hours. Increasing the threshold will result in more time being classified as regular working hours resulting in fewer detections, and vice versa. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0001 (Initial Access)
attack.mitre.org/tactics/TA0001/ |
T1078 (Valid Accounts)
attack.mitre.org/techniques/T1078/ |
T1078.002 (Domain Accounts)
attack.mitre.org/techniques/T1078/002/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Login to unexpected domain
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows
Detects when a user logs in to an unusual domain.
| Parameter | Type | Description |
|---|---|---|
| User parameters | ||
| Domain | Advanced asset list | A list of domains users are authorized or unauthorized to login to. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0001 (Initial Access)
attack.mitre.org/tactics/TA0001/ |
T1078 (Valid Accounts)
attack.mitre.org/techniques/T1078/ |
T1078.002 (Domain Accounts)
attack.mitre.org/techniques/T1078/002/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by hostname | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Login using local machine credentials
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows
Detects when a user logs in using local machine credentials.
| Parameter | Type | Description |
|---|---|---|
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized for login. Case-insensitive matching is used. |
| User security identifiers (SID) | Advanced asset list | A list of user security identifiers (SID) authorized or unauthorized for login. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Allow system service accounts | Boolean | A toggle to allow/prohibit system service accounts (e.g. NT Authority and root). |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to log in. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0001 (Initial Access)
attack.mitre.org/tactics/TA0001/ |
T1078 (Valid Accounts)
attack.mitre.org/techniques/T1078/ |
T1078.003 (Local Accounts)
attack.mitre.org/techniques/T1078/003/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Login with unauthorized account
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 7.1.0 or later, Windows or Linux
Detects when a user logs in with an unauthorized account.
|
|
If you leave the "Username", "User security identifiers (SID)", and "Remote IP addresses" parameters empty, the policy will not monitor any login activity. A one-hour cache period is used to suppress detections for repeated login events from the same username/UID. For detailed information about Windows login types, go to https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624#logon-types-and-descriptions. |
| Parameter | Type | Description |
|---|---|---|
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to log in. Case-insensitive matching is used. |
| User security identifiers (SID) | Advanced asset list | A list of user identifiers (SID on Windows and UID on Linux and macOS) authorized or unauthorized to log in. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to log in. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Connection parameters | ||
| Remote IP addresses | Advanced asset list | A list of IP address in CIDR format authorized or unauthorized to log in with an unauthorized username or UID. |
| Login type parameters | ||
| Monitor login types (Windows only) | String list | A list of unauthorized login types to monitor on the Windows platform. |
| Monitor failed login attempts | Boolean | The toggle to enable/disable monitoring of failed login attempts with unauthorized usernames or UIDs. |
| Monitor successful logins | Boolean | The toggle to enable/disable monitoring of successful logins with unauthorized usernames or UIDs. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0001 (Initial Access)
attack.mitre.org/tactics/TA0001/ |
T1078 (Valid Accounts)
attack.mitre.org/techniques/T1078/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Successful login after multiple failed attempts
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 4.2.0 or later, Windows
Detects when a user successfully logs into an account after multiple failed login attempts.
|
|
Subsequent detections and actions for the same user and remote address will not be generated until the configured time window has elapsed. |
| Parameter | Type | Description |
|---|---|---|
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to log in. Case-insensitive matching is used. |
| User security identifiers (SID) | Advanced asset list | A list of user security identifiers (SID) authorized or unauthorized to log in. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to log in. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Connection parameters | ||
| Remote IP addresses | Advanced asset list | A list of IP address in CIDR format authorized or unauthorized to log in. |
| Login parameters | ||
| Minimum number of failed login attempts | Integer | The minimum number of failed login attempts that must occur before a successful login for a detection to be generated. |
| Time window (in seconds) | Integer | The number of seconds during which the minimum number of failed login attempts must be exceeded before a successful login. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0006 (Credential Access)
attack.mitre.org/tactics/TA0006/ |
T1110 (Brute Force)
attack.mitre.org/techniques/T1110/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by source IP | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot