| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114 |
- <!--
- SOC Proposal Rules — Appendix A2: FortiGate IPS/IDS & Firewall
- Simulation profile rule IDs : 100311-100320
- Production profile rule IDs : 110311-110320
- Severity mapping:
- High → level 12
- Medium → level 8
- Low → level 5
- -->
- <group name="soc_mvp,appendix_a,a2,fortigate,">
- <!-- ── Simulation profile ── -->
- <!-- ── Production profile (if_group=fortigate, no soc_mvp_test required) ── -->
- <rule id="110311" level="12">
- <if_group>fortigate</if_group>
- <match>dstport=3389</match>
- <match>action="accept"</match>
- <description>A2-01 [PROD] FortiGate: RDP (3389) traffic allowed</description>
- <group>soc_prod,a2,rdp,</group>
- <mitre><id>T1021.001</id></mitre>
- </rule>
- <rule id="110312" level="12">
- <if_group>fortigate</if_group>
- <match>action="password-change"</match>
- <description>A2-02 [PROD] FortiGate: admin account password changed</description>
- <group>soc_prod,a2,admin_change,</group>
- <mitre><id>T1098</id></mitre>
- </rule>
- <rule id="110313" level="12">
- <if_group>fortigate</if_group>
- <match>action="create-admin"</match>
- <description>A2-03 [PROD] FortiGate: new admin account created</description>
- <group>soc_prod,a2,admin_change,</group>
- <mitre><id>T1136</id></mitre>
- </rule>
- <rule id="110314" level="12">
- <if_group>fortigate</if_group>
- <match>action="config-change"</match>
- <match>config_value=disable</match>
- <description>A2-04 [PROD] FortiGate: alerting/notification disabled via config change</description>
- <group>soc_prod,a2,defense_evasion,</group>
- <mitre><id>T1562</id></mitre>
- </rule>
- <rule id="110315" level="5">
- <if_group>fortigate</if_group>
- <match>action="download-config"</match>
- <description>A2-05 [PROD] FortiGate: firewall configuration file downloaded</description>
- <group>soc_prod,a2,config,</group>
- <mitre><id>T1005</id></mitre>
- </rule>
- <rule id="110316" level="8">
- <if_group>fortigate</if_group>
- <match>subtype="ips"</match>
- <match>attack="Multiple.Critical</match>
- <description>A2-06 [PROD] FortiGate IPS: multiple critical signatures triggered</description>
- <group>soc_prod,a2,ips,</group>
- <mitre><id>T1595</id></mitre>
- </rule>
- <rule id="110317" level="5">
- <if_group>fortigate</if_group>
- <match>subtype="anomaly"</match>
- <match>attack="TCP.Port.Scan"</match>
- <description>A2-07 [PROD] FortiGate: TCP port scan from external IP</description>
- <group>soc_prod,a2,recon,</group>
- <mitre><id>T1046</id></mitre>
- </rule>
- <rule id="110318" level="8">
- <if_group>fortigate</if_group>
- <match>subtype="ips"</match>
- <match>ioc_type=ip</match>
- <description>A2-08 [PROD] FortiGate IPS: IOC-based IP indicator detected</description>
- <group>soc_prod,a2,ioc,</group>
- <mitre><id>T1071.001</id></mitre>
- </rule>
- <rule id="110319" level="8">
- <if_group>fortigate</if_group>
- <match>subtype="anomaly"</match>
- <match>attack="Internal.Port.Scan"</match>
- <description>A2-09 [PROD] FortiGate: internal port scan from private source IP</description>
- <group>soc_prod,a2,recon,</group>
- <mitre><id>T1046</id></mitre>
- </rule>
- <rule id="110320" level="8">
- <if_group>fortigate</if_group>
- <match>threat_label="known-c2"</match>
- <description>A2-10 [PROD] FortiGate: traffic to known C2/malicious IP allowed</description>
- <group>soc_prod,a2,ioc,c2,</group>
- <mitre><id>T1071.001</id></mitre>
- </rule>
- </group>
|
