fortigate dstport=3389 action="accept" A2-01 [PROD] FortiGate: RDP (3389) traffic allowed soc_prod,a2,rdp, T1021.001 fortigate action="password-change" A2-02 [PROD] FortiGate: admin account password changed soc_prod,a2,admin_change, T1098 fortigate action="create-admin" A2-03 [PROD] FortiGate: new admin account created soc_prod,a2,admin_change, T1136 fortigate action="config-change" config_value=disable A2-04 [PROD] FortiGate: alerting/notification disabled via config change soc_prod,a2,defense_evasion, T1562 fortigate action="download-config" A2-05 [PROD] FortiGate: firewall configuration file downloaded soc_prod,a2,config, T1005 fortigate subtype="ips" attack="Multiple.Critical A2-06 [PROD] FortiGate IPS: multiple critical signatures triggered soc_prod,a2,ips, T1595 fortigate subtype="anomaly" attack="TCP.Port.Scan" A2-07 [PROD] FortiGate: TCP port scan from external IP soc_prod,a2,recon, T1046 fortigate subtype="ips" ioc_type=ip A2-08 [PROD] FortiGate IPS: IOC-based IP indicator detected soc_prod,a2,ioc, T1071.001 fortigate subtype="anomaly" attack="Internal.Port.Scan" A2-09 [PROD] FortiGate: internal port scan from private source IP soc_prod,a2,recon, T1046 fortigate threat_label="known-c2" A2-10 [PROD] FortiGate: traffic to known C2/malicious IP allowed soc_prod,a2,ioc,c2, T1071.001