Skip to main content
80211WiGuy
80211WiGuy
Explorer III
November 14, 2025
Question

Can FAZ update a threat feed based on FAC logs for "AUTH_FAIL_NOUSER"?

  • November 14, 2025
  • 3 replies
  • 656 views

Hello,

I'm pretty new to FAZ but we were sold on it based on it's ability to trigger actions based on log events.  Now that we have it, I'm not sure it can do what I had planned though.

 

Problem:  We're trying to phase-out SSL-VPN but can't right now.  We see constant attempts from certain subnets trying random user-names to log in that we'd like to block, but we don't want to block legitimate users that may have mistyped they're username.  The FAC log we see for this is "AUTH_FAIL_NOUSER" in the Log Description field.

 

Solution:  I'd like to detect instances of "AUTH_FAIL_NOUSER" and note the <User IP>.  If the User IP makes more than 5 attempts in 5hrs.  Add that IP to a threat feed (maybe on FMG), or at least send an alert.

 

Currently I'm doing this manually by checking the logs whenever I have time, and adding it to a threat feed we host on an internal github server.

 

I was trying to search for a solution like this but haven't come across one yet.

3 replies

Anthony_E
Staff
Anthony_E
Staff
November 17, 2025

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
    farhanahmed
    Staff
    farhanahmed
    Staff
    November 17, 2025

    Hi,

     

    You can use custom event handler to trigger an email alert:

     

    Please refer to the doc:
    https://docs.fortinet.com/document/fortianalyzer/7.6.4/administration-guide/348606/creating-a-custom-event-handler

    In your case, identity the logs in FortiAnalyzer Log View and then use the log field in event handler to trigger the alert.
    https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-How-create-an-Event-Handler-in-FortiAnalyzer-when/ta-p/290275 


    Troubleshoot Event Handlers:
    https://community.fortinet.com/t5/FortiAnalyzer/Troubleshooting-Tip-How-to-troubleshoot-for-event-handler/ta-p/267722 

      80211WiGuy
      80211WiGuyAuthor
      Explorer III
      November 26, 2025

      Hi Farhan,

      Sorry for my delay in coming back to this.
      Thank you for the suggestion but the examples provided are focused on FortiGate Logs.  I'm trying to hone in on FortiAuthenticator Logs with (logdesc) "AUTH_FAIL_NOUSER".  The guides provided also seem to be for an older version of FAZ where the forms have a different layout from what I'm seeing in v7.6.4.

       

      In the log Field, I've chosen Log Description.  Then in Filters I've set "AUTH_FAIL_NOUSER".  But I cant seem to find the option for grouping by "User IP" which is a field I'm able to filter by in the Log View.  I want the rule to trigger when it sees AUTH_FAIL_NOUSER for the same User IP 24 times in 24hours.

      AUTH_FAIL_NOUSER.png

      farhanahmed
      Staff
      farhanahmed
      Staff
      November 29, 2025

      Hi,
      Under the 'Define Event Conditions' when you select the second option 'Within a group, the log field xxxxxx " what does it show in the drop down ?

      80211WiGuy
      80211WiGuyAuthor
      Explorer III
      November 29, 2025

      DefineEventConditions.UserIP.png

      I am able to select User IP here...

      80211WiGuy
      80211WiGuyAuthor
      Explorer III
      November 29, 2025

      I see in the Advanced Mode radio button option it has "COUNT_DISTINCT(userip) >= 1"

      I think what I'm looking for is an option to say ?COUNT_MATCHES? for this.  My searches for what can be used in this field are coming up empty.

      Terms & ConditionsAccessibility statement