Created on 06-12-2023 01:39 AM Edited on 06-12-2023 02:37 AM
I would like to check who accessed with default password inside our IT infrastructure. Basically I define and create all user names and passwords ( inside default password in Resources section ) that are defaults for our network entities and then create a rule that trigger me an incident whenever a user access with event type inside default password group in the security rules section ?
Created on 06-14-2023 02:21 PM
“Default Password” predefined list (available in Resources section) is used by the system during Discovery process (while updating/populating the CMDB), and lets you know if the device credentials are still set to default (according to those well-known/publicly available credentials listed in “Default Password” list). If this would be the case, Incident(s) will be reported upon Discovery without the need to create a custom Rule (the system is using a predefined Rule named “Default Password Detected by System”).
If you want to perform Analytics (or create an alerting Rule) based on a specific list of login user names, you can create your own Watch List, populate it with those names (one by one, or import the user name list using a CSV file) and then define a Filter based on: attribute “User”, Operator “IN”, while for the “Value” field use “Select from CMDB” option and select the newly created Watch List.
If you want to also perform Analytics (or create an alerting Rule) based on a list of login passwords, you should take into consideration the fact that you should not have your devices configured for sending logs (ex. syslogs to FortiSIEM) which contain passwords in clear text.