81603 type="traffic"|type=traffic dstport=3389 action="accept"|action=accept A2-01 [PROD] FortiGate: RDP (3389) traffic allowed soc_prod,a2,rdp, T1021.001 81603 action="password-change"|action=password-change A2-02 [PROD] FortiGate: admin account password changed soc_prod,a2,admin_change, T1098 81603 action="create-admin"|action=create-admin A2-03 [PROD] FortiGate: new admin account created soc_prod,a2,admin_change, T1136 81608, 81612 config_value=disable|"disable" A2-04 [PROD] FortiGate: alerting/notification disabled via config change soc_prod,a2,defense_evasion, T1562 81603 action="download-config"|action=download-config A2-05 [PROD] FortiGate: firewall configuration file downloaded soc_prod,a2,config, T1005 81628, 81629 severity="critical"|severity="high"|severity=critical|severity=high A2-06 [PROD] FortiGate IPS: critical/high attack signature triggered soc_prod,a2,ips, T1595 81628, 81629 attack="TCP.Port.Scan"|TCP.Port.Scan A2-07 [PROD] FortiGate: TCP port scan from external IP soc_prod,a2,recon, T1046 81628, 81629 ioc_type=ip|ioc_type="ip" A2-08 [PROD] FortiGate IPS: IOC-based IP indicator detected soc_prod,a2,ioc, T1071.001 81628, 81629 attack="Internal.Port.Scan"|Internal.Port.Scan A2-09 [PROD] FortiGate: internal port scan from private source IP soc_prod,a2,recon, T1046 81603 type="traffic"|type=traffic threat_label="known-c2"|threat_label=known-c2 A2-10 [PROD] FortiGate: traffic to known C2/malicious IP allowed soc_prod,a2,ioc,c2, T1071.001