kqlElastic-2.0from elastic/detection-rules
FortiGate Administrator Account Creation from Unusual Source
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/network/persistence_fortigate_admin_creation_unusual_source.toml
data_stream.dataset: "fortinet_fortigate.log" and
event.code: "0100044547" and
fortinet.firewall.cfgpath: "system.admin" and
fortinet.firewall.action: "Add" and
fortinet.firewall.ui: (* and not "")