LoFP / a local user can be created for legitimate purposes. investigate the user details to determine if it is authorized.

Techniques

• t1136
• t1136.001

Sample rules

FortiGate - New Local User Created

• source: sigma
• technicques:
  • t1136
  • t1136.001

Description

Detects the creation of a new local user on a Fortinet FortiGate Firewall. The new local user could be used for VPN connections.

Detection logic

condition: selection
selection:
  action: Add
  cfgpath: user.local