Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Release Notes

    2024.10.0
    2024.10.0
    2024.9.0
    2024.7.0
    2023.0.0

    New detection rules and observations

    New detection rules and observations

    This page lists the new detections rules and observations in FortiNDR Cloud. New rules are created every month; however, it possible that a rule is created in a category that already exists.

    2024.10.0

    Primary ATT&CK Name ATR Category
    Application Layer Protocol Attack:Command and Control > Connectivity Check
    DNS Attack:Command and Control > DNS Tunneling
    Ingress Tool Transfer Attack:Installation > Remote File Copy from External
    LLMNR/NBT-NS Poisoning and SMB Relay Posture:Anomalous Activity
    Remote Access Software Posture:Potentially Unauthorized Software or Device > Remote Admin Tools
    Symmetric Cryptography Attack:Command and Control > Other Protocol

    2024.9.0

    Primary ATT&CK Name ATR Category
    Abuse Elevation Control Mechanism Attack:Exploitation
    Application Layer Protocol Attack:Command and Control > Web Shell
    Exploit Public-Facing Application Attack:Exploitation > Exploit Public-facing Application
    Non-Application Layer Protocol Attack:Command and Control > Custom Protocol
    Web Protocols Attack:Command and Control > HTTP(S) Beaconing

    2024.8.0

    Primary ATT&CK Name

    ATR Category

    Application Layer Protocol

    Attack:Command and Control > Other Protocol

    Domain Account

    Attack:Discovery > Remote System Scanning

    Domain Controller Authentication

    Attack:Miscellaneous

    Exploit Public-Facing Application

    Attack:Exploitation > Exploit Public-facing Application

    Exploitation for Client Execution

    Attack:Exploitation

    Exploitation for Privilege Escalation

    Attack:Miscellaneous

    Network Denial of Service

    Attack:Impact > Network DoS

    Non-Application Layer Protocol

    Attack:Command and Control > Custom Protocol

    2024.6.0

    Primary ATT&CK Name

    ATR Category
    Exploit Public-Facing Application Attack: Exploitation > Exploit Public-facing Application
    Non-Application Layer Protocol Attack: Command and Control > Other Protocol

    Application Layer Protocol

    Attack: Command and Control > Other Protocol

    Web Protocols

    Attack: Command and Control > HTTP(S) Beaconing

    Non-Application Layer Protocol

    Attack: Command and Control > Custom Protocol

    Ingress Tool Transfer

    Attack: Installation > Remote File Copy from External

    2024.5.0

    Rules

    Primary ATT&CK Name

    ATR Category
    Exploit Public-Facing Application Attack: Command and Control > Other Protocol

    Non-Application Layer Protocol

    Attack:Command and Control > Other Protocol

    2024.4.0

    Rules

    Primary ATT&CK Name

    ATR Category
    Network Denial of Service Attack: Impact > Network DoS
    Exploit Public-Facing Application Attack: Exploitation > Exploit Public-facing Application
    Network Denial of Service Attack: Impact > Network DoS
    Network Denial of Service Posture: Anomalous Activity
    Network Denial of Service Attack: Impact > Service DoS
    Network Denial of Service Attack: Impact > Network DoS

    2024.3.1

    Rules

    Primary ATT&CK Name

    ATR Category
    Application Layer Protocol PUA:Adware
    Command and Scripting Interpreter Attack:Exploitation > Exploit Public-facing Application
    Exfiltration Over Web Service Attack:Exfiltration > C2 Server Upload
    Exploit Public-Facing Application Attack:Exploitation > Exploit Public-facing Application
    Non-Application Layer Protocol Attack:Command and Control > Custom Protocol
    Web Protocols Attack:Command and Control > HTTP(S) Beaconing

    2024.3.0

    Rules

    Primary ATT&CK Name

    ATR Category
    Exploit Public-Facing Application Attack:Exploitation > Exploit Public-facing Application
    Non-Application Layer Protocol Posture:Potentially Unauthorized Software or Device

    2024.2.0

    Observations

    Name

    Description

    SSL C2 Beaconing Similarity

    Identify SSL connections that resemble Command and Control (C2) beaconing activity: telemetry that tells a C2 server the client is active and /or requests command(s) to execute. This observation performs statistical characterizations of the SSL connection to look for client software that calls back to a server on an extremely periodic schedule.

    Rules

    Primary ATT&CK Name

    ATR Category

    Web Protocols

    Attack:Command and Control > Web Shell

    Ingress Tool Transfer

    Attack:Installation > Remote File Copy from External

    Domain Groups

    Attack:Discovery > Network Directory Scanning

    LLMNR/NBT-NS Poisoning and SMB Relay

    Attack:Infection Vector > LLMNR/NBT-NS Poisoning

    Exploitation for Client Execution

    Attack:Exploitation

    Lateral Tool Transfer

    Attack:Installation > Remote File Copy from External

    Application Layer Protocol

    PUA:Spyware
    Previous
    Next

    New detection rules and observations

    New detection rules and observations

    This page lists the new detections rules and observations in FortiNDR Cloud. New rules are created every month; however, it possible that a rule is created in a category that already exists.

    2024.10.0

    Primary ATT&CK Name ATR Category
    Application Layer Protocol Attack:Command and Control > Connectivity Check
    DNS Attack:Command and Control > DNS Tunneling
    Ingress Tool Transfer Attack:Installation > Remote File Copy from External
    LLMNR/NBT-NS Poisoning and SMB Relay Posture:Anomalous Activity
    Remote Access Software Posture:Potentially Unauthorized Software or Device > Remote Admin Tools
    Symmetric Cryptography Attack:Command and Control > Other Protocol

    2024.9.0

    Primary ATT&CK Name ATR Category
    Abuse Elevation Control Mechanism Attack:Exploitation
    Application Layer Protocol Attack:Command and Control > Web Shell
    Exploit Public-Facing Application Attack:Exploitation > Exploit Public-facing Application
    Non-Application Layer Protocol Attack:Command and Control > Custom Protocol
    Web Protocols Attack:Command and Control > HTTP(S) Beaconing

    2024.8.0

    Primary ATT&CK Name

    ATR Category

    Application Layer Protocol

    Attack:Command and Control > Other Protocol

    Domain Account

    Attack:Discovery > Remote System Scanning

    Domain Controller Authentication

    Attack:Miscellaneous

    Exploit Public-Facing Application

    Attack:Exploitation > Exploit Public-facing Application

    Exploitation for Client Execution

    Attack:Exploitation

    Exploitation for Privilege Escalation

    Attack:Miscellaneous

    Network Denial of Service

    Attack:Impact > Network DoS

    Non-Application Layer Protocol

    Attack:Command and Control > Custom Protocol

    2024.6.0

    Primary ATT&CK Name

    ATR Category
    Exploit Public-Facing Application Attack: Exploitation > Exploit Public-facing Application
    Non-Application Layer Protocol Attack: Command and Control > Other Protocol

    Application Layer Protocol

    Attack: Command and Control > Other Protocol

    Web Protocols

    Attack: Command and Control > HTTP(S) Beaconing

    Non-Application Layer Protocol

    Attack: Command and Control > Custom Protocol

    Ingress Tool Transfer

    Attack: Installation > Remote File Copy from External

    2024.5.0

    Rules

    Primary ATT&CK Name

    ATR Category
    Exploit Public-Facing Application Attack: Command and Control > Other Protocol

    Non-Application Layer Protocol

    Attack:Command and Control > Other Protocol

    2024.4.0

    Rules

    Primary ATT&CK Name

    ATR Category
    Network Denial of Service Attack: Impact > Network DoS
    Exploit Public-Facing Application Attack: Exploitation > Exploit Public-facing Application
    Network Denial of Service Attack: Impact > Network DoS
    Network Denial of Service Posture: Anomalous Activity
    Network Denial of Service Attack: Impact > Service DoS
    Network Denial of Service Attack: Impact > Network DoS

    2024.3.1

    Rules

    Primary ATT&CK Name

    ATR Category
    Application Layer Protocol PUA:Adware
    Command and Scripting Interpreter Attack:Exploitation > Exploit Public-facing Application
    Exfiltration Over Web Service Attack:Exfiltration > C2 Server Upload
    Exploit Public-Facing Application Attack:Exploitation > Exploit Public-facing Application
    Non-Application Layer Protocol Attack:Command and Control > Custom Protocol
    Web Protocols Attack:Command and Control > HTTP(S) Beaconing

    2024.3.0

    Rules

    Primary ATT&CK Name

    ATR Category
    Exploit Public-Facing Application Attack:Exploitation > Exploit Public-facing Application
    Non-Application Layer Protocol Posture:Potentially Unauthorized Software or Device

    2024.2.0

    Observations

    Name

    Description

    SSL C2 Beaconing Similarity

    Identify SSL connections that resemble Command and Control (C2) beaconing activity: telemetry that tells a C2 server the client is active and /or requests command(s) to execute. This observation performs statistical characterizations of the SSL connection to look for client software that calls back to a server on an extremely periodic schedule.

    Rules

    Primary ATT&CK Name

    ATR Category

    Web Protocols

    Attack:Command and Control > Web Shell

    Ingress Tool Transfer

    Attack:Installation > Remote File Copy from External

    Domain Groups

    Attack:Discovery > Network Directory Scanning

    LLMNR/NBT-NS Poisoning and SMB Relay

    Attack:Infection Vector > LLMNR/NBT-NS Poisoning

    Exploitation for Client Execution

    Attack:Exploitation

    Lateral Tool Transfer

    Attack:Installation > Remote File Copy from External

    Application Layer Protocol

    PUA:Spyware
    Previous
    Next