Add Fortigate Fortinet index to multiple detection rules

rules/network/command_and_control_download_rar_powershell_from_internet.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/07/02"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet"
@@ -34,7 +34,13 @@ references = [
 risk_score = 47
 rule_id = "ff013cb4-274d-434a-96bb-fe15ddd3ae92"
 severity = "medium"
-tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint", "Data Source: PAN-OS"]
+tags = [
+  "Use Case: Threat Detection", 
+  "Tactic: Command and Control", 
+  "Domain: Endpoint", 
+  "Data Source: PAN-OS", 
+  "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/network/command_and_control_nat_traversal_port_activity.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -21,14 +21,20 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "IPSEC NAT Traversal Port Activity"
 risk_score = 21
 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7"
 severity = "low"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+    "Tactic: Command and Control", 
+    "Domain: Endpoint", 
+    "Use Case: Threat Detection", 
+    "Data Source: PAN-OS", 
+    "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/network/command_and_control_port_26_activity.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "SMTP on Port 26/TCP"
@@ -29,7 +29,13 @@ references = [
 risk_score = 21
 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
 severity = "low"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+    "Tactic: Command and Control", 
+    "Domain: Endpoint", 
+    "Use Case: Threat Detection", 
+    "Data Source: PAN-OS", 
+    "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -23,15 +23,15 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "RDP (Remote Desktop Protocol) from the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 47
 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
 severity = "medium"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Data Source: Fortinet-Fortigate"]
 timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
 timeline_title = "Comprehensive Network Timeline"
 timestamp_override = "event.ingested"

rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -21,15 +21,21 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "VNC (Virtual Network Computing) from the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 73
 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8"
 severity = "high"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+  "Tactic: Command and Control", 
+  "Domain: Endpoint", 
+  "Use Case: Threat Detection", 
+  "Data Source: PAN-OS", 
+  "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -21,15 +21,21 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "VNC (Virtual Network Computing) to the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 47
 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf"
 severity = "medium"
-tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+  "Tactic: Command and Control", 
+  "Domain: Endpoint", 
+  "Use Case: Threat Detection", 
+  "Data Source: PAN-OS", 
+  "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/network/discovery_potential_network_sweep_detected.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/05/17"
-integration = ["endpoint", "network_traffic", "panw"]
+integration = ["endpoint", "network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ theft, or other malicious activities. This rule proposes threshold logic to chec
 source host to 10 or more destination hosts on commonly used network services.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 5
@@ -28,7 +28,8 @@ tags = [
     "Tactic: Reconnaissance",
     "Use Case: Network Security Monitoring",
     "Data Source: Elastic Defend",
-    "Data Source: PAN-OS"
+    "Data Source: PAN-OS", 
+    "Data Source: Fortinet-Fortigate"
 ]
 timestamp_override = "event.ingested"
 type = "threshold"

rules/network/discovery_potential_syn_port_scan_detected.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2023/05/17"
-integration = ["endpoint", "network_traffic", "panw"]
+integration = ["endpoint", "network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ to data breaches or further malicious activities. This rule proposes threshold l
 from one source host to 10 or more destination ports using 2 or less packets per port.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*"]
+index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 5
@@ -29,7 +29,8 @@ tags = [
     "Tactic: Reconnaissance",
     "Use Case: Network Security Monitoring",
     "Data Source: Elastic Defend",
-    "Data Source: PAN-OS"
+    "Data Source: PAN-OS",
+    "Data Source: Fortinet-Fortigate"
 ]
 timestamp_override = "event.ingested"
 type = "threshold"

rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,15 +13,21 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
 backdoor vector.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "RPC (Remote Procedure Call) from the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 73
 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
 severity = "high"
-tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+  "Tactic: Initial Access", 
+  "Domain: Endpoint", 
+  "Use Case: Threat Detection", 
+  "Data Source: PAN-OS", 
+  "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,15 +13,21 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
 backdoor vector.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "RPC (Remote Procedure Call) to the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 73
 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
 severity = "high"
-tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = [
+  "Tactic: Initial Access", 
+  "Domain: Endpoint", 
+  "Use Case: Threat Detection", 
+  "Data Source: PAN-OS", 
+  "Data Source: Fortinet-Fortigate"
+]
 timestamp_override = "event.ingested"
 type = "query"
 

rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["network_traffic", "panw"]
+integration = ["network_traffic", "panw", "fortinet_fortigate"]
 maturity = "production"
-updated_date = "2024/09/18"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]
@@ -13,15 +13,15 @@ systems. It should almost never be directly exposed to the Internet, as it is fr
 threat actors as an initial access or backdoor vector or for data exfiltration.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*", "logs-fortinet_fortigate.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "SMB (Windows File Sharing) Activity to the Internet"
 references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 73
 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
 severity = "high"
-tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
+tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Data Source: Fortinet-Fortigate"]
 timestamp_override = "event.ingested"
 type = "query"