Managed Sentinel – Alert 159
| Alert ID | MS-A159 |
| Alert Name | Admin authentication failure detected on firewall - Fortinet |
| Description | This alert is triggered whenever there are x login failure detected in y minutes for the admin/root user account on any particular Fortinet firewall. |
| Severity Level | Low |
| Threat Indicator | Root Access |
| MITRE ATT&CK Tactics | Credential Access Lateral Movement |
| Log sources | Firewalls |
| False Positives | Penetration Tests |
| Recommendations | 1. Change admin/root/administrator account password 2. Login into the firewall console and review change history 3. Block IP address which requested the console access 4. Consider to disable management access from the untrust zones (best practices) |