Custom Rule for Success Login after Failed

[GDSOC]

I am trying to create a custom rule based on some examples out there but can not get it to fire.  I want to have the rule trigger when a login is successful from an IP address after it first failed logging in.  This is for a Fortigate VPN.

The built-in rules that detect a successful login are:

<rule id="81622" level="3">

<if_sid>81603</if_sid>

<match>level=information|level="information"</match>

<action>tunnel-up</action>

<description>Fortigate: VPN user connected.</description>

<mitre>

<id>T1078</id>

</mitre>

<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,</group>

</rule>

The built-in rules that detect a failed login are:

<rule id="81614" level="4">

<if_sid>81603</if_sid>

<match>ssl-login-fail</match>

<description>Fortigate: SSL VPN user failed login attempt.</description>

<group>authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

</rule>

Here is the rule i created.  I couldn't use <same_source_ip> because the IP the user is coming from in the logs is just saved in the data.ip field:

<group name="fortigate,syslog,">

<rule id="181622" level="12" timeframe="3600">

<if_matched_sid>81622</if_matched_sid>

<if_matched_group>authentication_failed</if_matched_group>

<same_field>ip</same_field>

<description>Multiple authentication failures followed by a success.</description>

<group>pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

</rule>

Thank you for any guidance you can provide.

[Stuti Gupta]

Hi  GDSOC

You can achivehis with the help of timeframe and frequency. AS you can see ther are two default rules 81622 and 81614 for login fail abd successfull you can create rule on the bases . To verfiy the field name and test this rule please share the logs

Hope to hear from you soon.
Regards 

[Stuti Gupta]

You can also refer to for rule syntax https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html And here here is the refrence for co related rules 

 <group name="fortigate,syslog,">
 <rule id="108702" level="4" frequency="2" timeframe="60">
         <if_matched_sid>81622</if_matched_sid>
         <if_sid>81614</if_sid>
         <same_field>remip</same_field>
         <description>Fortigate: Multiple Time VPn user tried connected from same source.</description>
</rule>
</group>

In this case if the remip IP is same in both  81622 and  81614 rules , and it both triggers with in the 60s for once it will trigger the rule  108702
If you have any issue with then share the log and please hide the sensitive dat.

[Stuti Gupta]

Hi please let  me know if the issue is resolved 

[GDSOC]

Thanks for the response, I tried to setup the rule as you had, but it still is not triggering.  This is the rule:

<group name="fortigate,syslog,">
  <rule id="181622" level="12" frequency="2" timeframe="3600">
    <if_matched_sid>81622</if_matched_sid>
    <if_sid>81614</if_sid>
    <same_field>ip</same_field>
    <description>Successful and failed auth from same IP.</description>
  </rule>
  <rule id="181614" level="6" frequency="2" timeframe="300">
      <if_matched_sid>81614</if_matched_sid>
      <same_field>ip</same_field>
      <description>FGT SSLVPN - Multiple login failure</description>
  </rule>

</group>

I get 81614 (failed login), 181614 (multiple failed logins) and then 81622 (successful Login). I can not seem to get it to match the 181622 rule.  Any ideas?

[Stuti Gupta]

Hi  GDSOC
Please ensure that the field name is accurate. You can click on the alert to view the field name; if it appears as the IP you mentioned or under a different name. Additionally, if possible, kindly share the logs with us so we can conduct testing in our lab. Please remember to redact any sensitive content before sharing.


Hope this helps

[GDSOC]

Thanks for your help.  I verified that user's ip is data.ip.

Attached are the logs in json.  The first two are the failed and then the third is the success. I tried changing it with matching 181614 and having multiple failed logins with that id as well and it did not work either.

[GDSOC]

Any suggestions on what i could have done wrong to get the rule to trigger as desired?

Thanks