From 7533b307bff61ff58c1731142731477134784d53 Mon Sep 17 00:00:00 2001
From: SHolzhauer <stijnholzhauer+git@gmail.com>
Date: Wed, 27 Nov 2024 16:58:43 +0100
Subject: [PATCH 1/3] test

---
 rta/bin/pkexec_cve20214034/cve-2021-4034 | Bin 16616 -> 0 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100755 rta/bin/pkexec_cve20214034/cve-2021-4034

diff --git a/rta/bin/pkexec_cve20214034/cve-2021-4034 b/rta/bin/pkexec_cve20214034/cve-2021-4034
deleted file mode 100755
index 0390a795cbe2a2ade46dd2099a0679ab83fb57e7..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 16616
zcmeHOZ)_Y#6`%9P@uf-5PMQ=qY4NsABnRp}$4OkLt(!aBXRpC=Ok$^?CRv?*XZw=-
zW8Lkwb^tZVq2g2$@_`RX2q6IyDfB}cl?qTL5)!3}5GX;QMwCjXq>@{K>IjHjAU@vP
zo!@zPeMS`@5J)@H-Fxph@Ar1*?d;y{?acGhzV0fYPoVh4Q-ZC5ItvNQit*i2ArTgB
zVl{n#Ts$aNlD)#jtopDesMaduRZba@xSu5R&dPeXd_ej^qJ=D(w_F*owrU`S><9DA
zDrp0Ud{DLn5_tJ|iaerAo|6rOwDUMOvrQInw%sW;dAtEB!DEwo^O83&d5|;mc#y~^
z=Y&6(Wjwd+qB<^+?8{}~T_etVN?~iMeA0piBzT`89=G$O7NmW@Jl=A7sh91Cl-(7f
zRC2g=XDAhKN+mOe$)?G+)~42-YCfyBnEmGX?Ay~nWHyP%7gEb@-asG5xc=(M@524(
z&;01y-~aKiuc{3{eC@57e<JT3!|K<UNP{lKjl{3gCa}!c9>SFhbq^7?z5>2_8T=W-
zl?whxm%%yq!xj7m<!gk~(<%~^iIHa$Lf1zoWBO<^6H6tJv&kNM-iYN4JsnGCL{DFD
zN2lJRwy3*=-aEKgk0)}8v1Hyz<OcV4rm~sDU~D+W%&~MfBbmD8TG5f4RVB{?&V`T8
zl8<nVhr*`hD)!nT`+(~N<GOjBRWT>81K@KqKx5dd2M+rtpAag1F8O#UGd3J;;<{NI
zjxo;ooDG+^7KX*V4Yywh^<lGG)R5ru<`pjkUIx4jcp30A;AOzefR_O;1OH1I(5C+s
z&|a*5J0yhm<qJkt>AE(3IdG}m#L}*JsH(K}7Jb(?gh^w2oa^74DN)&ap6t;xAZ-70
zZ}G+vt@w^MeQR!Du<um$4`}+Wom$&ziuQ}-SlT#BoWIsKba74lOJr!Ls=vcx_q?%@
zn)4Lv)SOkNnc9XE9Q%@#<UeKl@5-^*wxC^H@N306?c(en&38q+v0!YV02^h1Kxt;w
zJP!CL+ILfxD1?Tz>GnG+sao+}V~zG=`zFF?o2W;#<Mef<dL7xm!{9-__j#%uA`T^P
zp!mhtwPN9%_C|D`+en>wCCCAz7f3yCsaHw;iKSjA^_r#LB=wh;Iz#kXi#|lW=)6|E
zLcM&QYG+R`luFkwjjFW`C)tDY9C^C8_-5o_Z}CoKC{nx|p$u<T9u;CpJJrPUK;JfQ
zT444OqG}iK`i;%o->Pj8eZ{}`74LKvKZukz{9c>B<kNP)U3j0*^)rVfha!g~M<P1)
zQSg~J$An`Pm<RX1ybO35@G{_Kz{`M_0WSky2D}V-8SpaTW#Iof13r59Ht}5MSkj=E
zg^#OZATp@6_jK;-Kd76kDh_DTzP|QQDw_%=L-A}VlQlw#NqQ}q7oA#U|AFXW`@qxv
zpY9zLJ-z$%p#xF<VE2J`5h~<!q2XjEG;xeyKyr$FoBdC;k>vMfuYOP}@iXmjNWM(+
z7Rf=9*XBy4%OtyQmrA!tevjm%^w$BuzvbdPzF+tz>wKHn)CA7>YU&v0H3DBD{wLW%
zmdgG@Y@vGgZzO+(eS>w~!TL|tu6{0XLhRY}#3y!aF<+-Lzl%N!`QhCnyEFF?eeM#T
zWgrr)d!edx?aHd7)FO-X1%f|I{W#3^9l^S<RYimKr~T2Oa%x31*!b0IE!h0RN-fwn
zUDFc`9}Tueg3Xa&V@FWw2-cH-M=)T%ALTquP#o&MSG){(8SpaTWx&gTmjN#WUIx4j
zcp30A@R2i6UPmd{P2!mXat$KM`nA&DAQ!LRFKw*P+$?Q88*P#{)@kx{5*O6}ZNYk6
z3dlu~SW9_R+E_!`EbV(Nx;QB%ub1UgZwawcN(f04B5Wa8+X;U>5AwQ9E+4am7?2GC
zerAPLfp%YzezZu{EQt3H`S?em=}K=~&BwtB$)~r(rj7j4W1MLplJy@-yWDOW|GzD;
zuH1dxRyhuUV_j`eXXoQeV^?B08Otbb>JGKJsdbyBz;#*ar<J%^=WloN(|-_HukOVC
z;ucP%t-?<$zA=t$Fs-+(78pNHe5JrRbK*4u=fjBy1kR%qUnMX;ocKNEapc5l)VlJ>
z^?tENC>8OwB3uy<miJ>g<JSsYpH7^DD0als{bF5toxi=-Pb<{VR`kDD;CgrZZxFc7
zo%lvkX*~JGeFE#To&IzchV6)@`{^oID&qHx=88D(K8vyVx?3S`mlhFA<NI8d2#OP~
zJkx3m6F=v|ACfrMn_E$Yc#IUESZoij^KKJgnjhXgz{kaX7;&ad|D}2U2H}<3zg)l0
znsL^Pm$|{NQYp@Brq8`g&f^<|`{?fKK9AR>zk59V(ZrXIt2<_#rRVom>Od9k9&%q7
zYY1OY`Kgn?H{4Gy50Ijmn)Ayr@ulOWjqo}eKkjjIAK~k(mR>J=7<Yy?ts~3eIT_zQ
zKA$ICsSxKh;p?jE1@514`6lC>1WA%V3xZcmaURaeeGle;h(!81ed=huwS`Hsl}YK3
z{aW}B^rwWgzdH|Cr2j4%-~3Ucc)uW=+v)aylW@g$JgBz`e;9^cj^vEIQ5YRnN5ta(
z5#31ZBfNtoPrFCrS$!;(9gd~+xRK4}^;lt2jAYXjsf3Y;tB>tyq3tJ?oOtg_Qjg_w
zu_--~F>+I4G#5)J^mrkio+66P(#g|sxY7=ork3WG?M*wIckHCL>3aA6$lj<P?eEfQ
z4~vr!7kby{`XhULJDoM=W*LHL6OkU(WCX2iztDU7_H{)1^nKmk^nbWM80qMXa#VAR
z%}BmrHvQjks!7CSMhuk2T{+>feOr#TmB)!uu83)E$05FRZ;l?%XZ7(|CeHhI=<oTw
z5l?3HLOwxVTx=a@i|pZiUWPIE1L-<#`$2+uKTyR@KF)1L&ZY@9Kb1CO!z7KICC8y9
zGqkU0La6jQA)!V(dYg>cn6$<+1$DTPq`h9rxKP;|kLAaO8lTEgJWComtLE86E}zV1
z9EMJHxkM_)1gTA=456CcR7q9GvSb>GN&4nNMNU~W{c2)d4x{ln1%YKzt?^_rpwkgz
z>Es9<K5KAfY8;<Nl~O5G8q{eTsP?PlKh}A^O_v<qJFS9w6eQ-`vfA{8&hioZ@EjL>
z%(oyFs<Ri|kAQ6_#m>jP3~~z`rF8SV2){#fUK}6uH%RdDT!8sE!uFHG&j8?Ko(IXl
ze_Z%Eg7XAE=IaLu<GD8Ym=8jpq&j=y81{0644%`2k9i{`&mXv;{qTc4Ms@s*02}j5
zNQKE%-0ineA&!&6IRzi{P{<3?5yyA;pZmxB4(W&I9!TVg`TT6;=AR~vbAsnI{^>G{
zl+3XgK9;={$*}Vk$tz2{GwH7I;_EJcSUNzWy$Ayv@>?!GelH;}x=uKbk9gm8@iFg)
z#PcEi-Ti+_@^SuzB0Z%{N)y7(e}yWziQv2U>plshly3gdT>P_&<p>#Y^&feY;lwpk
zc#QKk#0B#}?BjL&!-o7Vacb!UKAs=unmF3xc(bfU8~i^|1&=-OF+asV=^5F6j8E`z
z9(g{^F5u&N<YtIKDvg#Xe}fPCKGoRyA}n2-EvZNo0zAmSP=%eZge^}+^3hH=ANGf&
za4fVR^R#Bk$8q2<(*aW~kj9vFFXP}Z_xpi3EHU=VWKsqYP$r(^@F_)ma9>$P7}`#1
dxeT;g>RMND92br}U9H4F+-7;yxCky&{0nqmPa6OL


From 60b67339e086286cb2ab893b973902aa902be3db Mon Sep 17 00:00:00 2001
From: SHolzhauer <stijnholzhauer+git@gmail.com>
Date: Wed, 27 Nov 2024 17:49:04 +0100
Subject: [PATCH 2/3] Adding index patterns for fortigate

---
 ...mmand_and_control_download_rar_powershell_from_internet.toml | 2 +-
 .../command_and_control_nat_traversal_port_activity.toml        | 2 +-
 rules/network/command_and_control_port_26_activity.toml         | 2 +-
 ...d_control_rdp_remote_desktop_protocol_from_the_internet.toml | 2 +-
 ...control_vnc_virtual_network_computing_from_the_internet.toml | 2 +-
 ...d_control_vnc_virtual_network_computing_to_the_internet.toml | 2 +-
 rules/network/discovery_potential_network_sweep_detected.toml   | 2 +-
 rules/network/discovery_potential_syn_port_scan_detected.toml   | 2 +-
 ...tial_access_rpc_remote_procedure_call_from_the_internet.toml | 2 +-
 ...nitial_access_rpc_remote_procedure_call_to_the_internet.toml | 2 +-
 ...ccess_smb_windows_file_sharing_activity_to_the_internet.toml | 2 +-
 11 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml
index 353a1460eec..a3c5516f586 100644
--- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml
+++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml
@@ -19,7 +19,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet"
diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml
index f61786952a2..6991d90e73c 100644
--- a/rules/network/command_and_control_nat_traversal_port_activity.toml
+++ b/rules/network/command_and_control_nat_traversal_port_activity.toml
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "IPSEC NAT Traversal Port Activity"
diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml
index 2a01401278b..1073b315f6d 100644
--- a/rules/network/command_and_control_port_26_activity.toml
+++ b/rules/network/command_and_control_port_26_activity.toml
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "SMTP on Port 26/TCP"
diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
index e9e59ab3aeb..003e5bcf5c2 100644
--- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
+++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
@@ -23,7 +23,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "RDP (Remote Desktop Protocol) from the Internet"
diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
index db915e0a059..c4ec4887936 100644
--- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
+++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "VNC (Virtual Network Computing) from the Internet"
diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
index f7f629214dd..6eae0b2da5d 100644
--- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
+++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "VNC (Virtual Network Computing) to the Internet"
diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml
index 1f4a3572f07..5ed40416021 100644
--- a/rules/network/discovery_potential_network_sweep_detected.toml
+++ b/rules/network/discovery_potential_network_sweep_detected.toml
@@ -14,7 +14,7 @@ theft, or other malicious activities. This rule proposes threshold logic to chec
 source host to 10 or more destination hosts on commonly used network services.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 5
diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml
index a7360800045..479dc29982b 100644
--- a/rules/network/discovery_potential_syn_port_scan_detected.toml
+++ b/rules/network/discovery_potential_syn_port_scan_detected.toml
@@ -15,7 +15,7 @@ to data breaches or further malicious activities. This rule proposes threshold l
 from one source host to 10 or more destination ports using 2 or less packets per port.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*"]
+index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 5
diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
index ddaf50fd579..8f5a61d1a4d 100644
--- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
+++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
@@ -13,7 +13,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
 backdoor vector.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "RPC (Remote Procedure Call) from the Internet"
diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
index 765d3d433c4..73b5c50714c 100644
--- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
+++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
@@ -13,7 +13,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
 backdoor vector.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "RPC (Remote Procedure Call) to the Internet"
diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
index ec784917be1..6247c21c934 100644
--- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
+++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
@@ -13,7 +13,7 @@ systems. It should almost never be directly exposed to the Internet, as it is fr
 threat actors as an initial access or backdoor vector or for data exfiltration.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "SMB (Windows File Sharing) Activity to the Internet"

From 444599bdf67a79cef71b0d290df393551aff63e4 Mon Sep 17 00:00:00 2001
From: SHolzhauer <stijnholzhauer+git@gmail.com>
Date: Wed, 27 Nov 2024 18:04:30 +0100
Subject: [PATCH 3/3] adding integration and tags

---
 ...ontrol_download_rar_powershell_from_internet.toml | 12 +++++++++---
 ...mand_and_control_nat_traversal_port_activity.toml | 12 +++++++++---
 .../command_and_control_port_26_activity.toml        | 12 +++++++++---
 ...dp_remote_desktop_protocol_from_the_internet.toml |  6 +++---
 ..._virtual_network_computing_from_the_internet.toml | 12 +++++++++---
 ...nc_virtual_network_computing_to_the_internet.toml | 12 +++++++++---
 .../discovery_potential_network_sweep_detected.toml  |  7 ++++---
 .../discovery_potential_syn_port_scan_detected.toml  |  7 ++++---
 ..._rpc_remote_procedure_call_from_the_internet.toml | 12 +++++++++---
 ...ss_rpc_remote_procedure_call_to_the_internet.toml | 12 +++++++++---
 ...indows_file_sharing_activity_to_the_internet.toml |  6 +++---
 11 files changed, 77 insertions(+), 33 deletions(-)

diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml
index a3c5516f586..d7f59c1288a 100644
--- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml
+++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/07/02"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -34,7 +34,13 @@ references = [
 risk_score = 47
 rule_id = "ff013cb4-274d-434a-96bb-fe15ddd3ae92"
 severity = "medium"
-tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint", "Data Source: PAN-OS"]
+tags = [
+  "Use Case: Threat Detection", 
+  "Tactic: Command and Control", 
+  "Domain: Endpoint", 
+  "Data Source: PAN-OS", 
+  "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 
diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml
index 6991d90e73c..42bf8385fc3 100644
--- a/rules/network/command_and_control_nat_traversal_port_activity.toml
+++ b/rules/network/command_and_control_nat_traversal_port_activity.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,13 @@ name = "IPSEC NAT Traversal Port Activity"
 risk_score = 21
 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7"
 severity = "low"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+    "Tactic: Command and Control", 
+    "Domain: Endpoint", 
+    "Use Case: Threat Detection", 
+    "Data Source: PAN-OS", 
+    "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 
diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml
index 1073b315f6d..dc6cd85d9c3 100644
--- a/rules/network/command_and_control_port_26_activity.toml
+++ b/rules/network/command_and_control_port_26_activity.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,13 @@ references = [
 risk_score = 21
 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
 severity = "low"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+    "Tactic: Command and Control", 
+    "Domain: Endpoint", 
+    "Use Case: Threat Detection", 
+    "Data Source: PAN-OS", 
+    "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 
diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
index 003e5bcf5c2..ebc9057aec4 100644
--- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
+++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
 risk_score = 47
 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
 severity = "medium"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Data Source: Fortinet-Fortigate"]
 timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
 timeline_title = "Comprehensive Network Timeline"
 timestamp_override = "event.ingested"
diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
index c4ec4887936..7e5fbd56431 100644
--- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
+++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,13 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
 risk_score = 73
 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8"
 severity = "high"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+  "Tactic: Command and Control", 
+  "Domain: Endpoint", 
+  "Use Case: Threat Detection", 
+  "Data Source: PAN-OS", 
+  "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 
diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
index 6eae0b2da5d..66aca65f295 100644
--- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
+++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,13 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
 risk_score = 47
 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf"
 severity = "medium"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+  "Tactic: Command and Control", 
+  "Domain: Endpoint", 
+  "Use Case: Threat Detection", 
+  "Data Source: PAN-OS", 
+  "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 
diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml
index 5ed40416021..9b96f919131 100644
--- a/rules/network/discovery_potential_network_sweep_detected.toml
+++ b/rules/network/discovery_potential_network_sweep_detected.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/05/17"
-integration = ["endpoint", "network_traffic", "panw"]
+integration = ["endpoint", "network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,8 @@ tags = [
     "Tactic: Reconnaissance",
     "Use Case: Network Security Monitoring",
     "Data Source: Elastic Defend",
-    "Data Source: PAN-OS"
+    "Data Source: PAN-OS", 
+    "Data Source: Fortinet-Fortigate"
 ]
 timestamp_override = "event.ingested"
 type = "threshold"
diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml
index 479dc29982b..dda5f04c3f5 100644
--- a/rules/network/discovery_potential_syn_port_scan_detected.toml
+++ b/rules/network/discovery_potential_syn_port_scan_detected.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/05/17"
-integration = ["endpoint", "network_traffic", "panw"]
+integration = ["endpoint", "network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,8 @@ tags = [
     "Tactic: Reconnaissance",
     "Use Case: Network Security Monitoring",
     "Data Source: Elastic Defend",
-    "Data Source: PAN-OS"
+    "Data Source: PAN-OS",
+    "Data Source: Fortinet-Fortigate"
 ]
 timestamp_override = "event.ingested"
 type = "threshold"
diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
index 8f5a61d1a4d..d0445b07d3d 100644
--- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
+++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,13 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
 risk_score = 73
 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
 severity = "high"
-tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+  "Tactic: Initial Access", 
+  "Domain: Endpoint", 
+  "Use Case: Threat Detection", 
+  "Data Source: PAN-OS", 
+  "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 
diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
index 73b5c50714c..aef8305524f 100644
--- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
+++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,13 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
 risk_score = 73
 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
 severity = "high"
-tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+  "Tactic: Initial Access", 
+  "Domain: Endpoint", 
+  "Use Case: Threat Detection", 
+  "Data Source: PAN-OS", 
+  "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 
diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
index 6247c21c934..82320c25a2c 100644
--- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
+++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
 risk_score = 73
 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
 severity = "high"
-tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Data Source: Fortinet-Fortigate"]
 timestamp_override = "event.ingested"
 type = "query"