diff --git a/rta/bin/pkexec_cve20214034/cve-2021-4034 b/rta/bin/pkexec_cve20214034/cve-2021-4034
deleted file mode 100755
index 0390a795cbe..00000000000
Binary files a/rta/bin/pkexec_cve20214034/cve-2021-4034 and /dev/null differ
diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml
index 353a1460eec..d7f59c1288a 100644
--- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml
+++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/07/02"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
""",
]
from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
language = "kuery"
license = "Elastic License v2"
name = "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet"
@@ -34,7 +34,13 @@ references = [
risk_score = 47
rule_id = "ff013cb4-274d-434a-96bb-fe15ddd3ae92"
severity = "medium"
-tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint", "Data Source: PAN-OS"]
+tags = [
+ "Use Case: Threat Detection",
+ "Tactic: Command and Control",
+ "Domain: Endpoint",
+ "Data Source: PAN-OS",
+ "Data Source: Fortinet-Fortigate"
+]
timestamp_override = "event.ingested"
type = "query"
diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml
index f61786952a2..42bf8385fc3 100644
--- a/rules/network/command_and_control_nat_traversal_port_activity.toml
+++ b/rules/network/command_and_control_nat_traversal_port_activity.toml
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
[rule]
author = ["Elastic"]
@@ -21,14 +21,20 @@ false_positives = [
""",
]
from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.*", "logs-fortinet_fortigate.*"]
language = "kuery"
license = "Elastic License v2"
name = "IPSEC NAT Traversal Port Activity"
risk_score = 21
rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7"
severity = "low"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+ "Tactic: Command and Control",
+ "Domain: Endpoint",
+ "Use Case: Threat Detection",
+ "Data Source: PAN-OS",
+ "Data Source: Fortinet-Fortigate"
+]
timestamp_override = "event.ingested"
type = "query"
diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml
index 2a01401278b..dc6cd85d9c3 100644
--- a/rules/network/command_and_control_port_26_activity.toml
+++ b/rules/network/command_and_control_port_26_activity.toml
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
[rule]
author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
""",
]
from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
language = "kuery"
license = "Elastic License v2"
name = "SMTP on Port 26/TCP"
@@ -29,7 +29,13 @@ references = [
risk_score = 21
rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
severity = "low"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+ "Tactic: Command and Control",
+ "Domain: Endpoint",
+ "Use Case: Threat Detection",
+ "Data Source: PAN-OS",
+ "Data Source: Fortinet-Fortigate"
+]
timestamp_override = "event.ingested"
type = "query"
diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
index e9e59ab3aeb..ebc9057aec4 100644
--- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
+++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ false_positives = [
""",
]
from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
language = "kuery"
license = "Elastic License v2"
name = "RDP (Remote Desktop Protocol) from the Internet"
@@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 47
rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
severity = "medium"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Data Source: Fortinet-Fortigate"]
timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
timeline_title = "Comprehensive Network Timeline"
timestamp_override = "event.ingested"
diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
index db915e0a059..7e5fbd56431 100644
--- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
+++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
""",
]
from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
language = "kuery"
license = "Elastic License v2"
name = "VNC (Virtual Network Computing) from the Internet"
@@ -29,7 +29,13 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8"
severity = "high"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+ "Tactic: Command and Control",
+ "Domain: Endpoint",
+ "Use Case: Threat Detection",
+ "Data Source: PAN-OS",
+ "Data Source: Fortinet-Fortigate"
+]
timestamp_override = "event.ingested"
type = "query"
diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
index f7f629214dd..66aca65f295 100644
--- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
+++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
""",
]
from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
language = "kuery"
license = "Elastic License v2"
name = "VNC (Virtual Network Computing) to the Internet"
@@ -29,7 +29,13 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 47
rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf"
severity = "medium"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+ "Tactic: Command and Control",
+ "Domain: Endpoint",
+ "Use Case: Threat Detection",
+ "Data Source: PAN-OS",
+ "Data Source: Fortinet-Fortigate"
+]
timestamp_override = "event.ingested"
type = "query"
diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml
index 1f4a3572f07..9b96f919131 100644
--- a/rules/network/discovery_potential_network_sweep_detected.toml
+++ b/rules/network/discovery_potential_network_sweep_detected.toml
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2023/05/17"
-integration = ["endpoint", "network_traffic", "panw"]
+integration = ["endpoint", "network_traffic", "panw", "fortinet_fortigate"]
maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ theft, or other malicious activities. This rule proposes threshold logic to chec
source host to 10 or more destination hosts on commonly used network services.
"""
from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 5
@@ -28,7 +28,8 @@ tags = [
"Tactic: Reconnaissance",
"Use Case: Network Security Monitoring",
"Data Source: Elastic Defend",
- "Data Source: PAN-OS"
+ "Data Source: PAN-OS",
+ "Data Source: Fortinet-Fortigate"
]
timestamp_override = "event.ingested"
type = "threshold"
diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml
index a7360800045..dda5f04c3f5 100644
--- a/rules/network/discovery_potential_syn_port_scan_detected.toml
+++ b/rules/network/discovery_potential_syn_port_scan_detected.toml
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2023/05/17"
-integration = ["endpoint", "network_traffic", "panw"]
+integration = ["endpoint", "network_traffic", "panw", "fortinet_fortigate"]
maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ to data breaches or further malicious activities. This rule proposes threshold l
from one source host to 10 or more destination ports using 2 or less packets per port.
"""
from = "now-9m"
-index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*"]
+index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 5
@@ -29,7 +29,8 @@ tags = [
"Tactic: Reconnaissance",
"Use Case: Network Security Monitoring",
"Data Source: Elastic Defend",
- "Data Source: PAN-OS"
+ "Data Source: PAN-OS",
+ "Data Source: Fortinet-Fortigate"
]
timestamp_override = "event.ingested"
type = "threshold"
diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
index ddaf50fd579..d0445b07d3d 100644
--- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
+++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
backdoor vector.
"""
from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
language = "kuery"
license = "Elastic License v2"
name = "RPC (Remote Procedure Call) from the Internet"
@@ -21,7 +21,13 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
severity = "high"
-tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+ "Tactic: Initial Access",
+ "Domain: Endpoint",
+ "Use Case: Threat Detection",
+ "Data Source: PAN-OS",
+ "Data Source: Fortinet-Fortigate"
+]
timestamp_override = "event.ingested"
type = "query"
diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
index 765d3d433c4..aef8305524f 100644
--- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
+++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
backdoor vector.
"""
from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
language = "kuery"
license = "Elastic License v2"
name = "RPC (Remote Procedure Call) to the Internet"
@@ -21,7 +21,13 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
severity = "high"
-tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+ "Tactic: Initial Access",
+ "Domain: Endpoint",
+ "Use Case: Threat Detection",
+ "Data Source: PAN-OS",
+ "Data Source: Fortinet-Fortigate"
+]
timestamp_override = "event.ingested"
type = "query"
diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
index ec784917be1..82320c25a2c 100644
--- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
+++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ systems. It should almost never be directly exposed to the Internet, as it is fr
threat actors as an initial access or backdoor vector or for data exfiltration.
"""
from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
language = "kuery"
license = "Elastic License v2"
name = "SMB (Windows File Sharing) Activity to the Internet"
@@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
severity = "high"
-tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Data Source: Fortinet-Fortigate"]
timestamp_override = "event.ingested"
type = "query"