Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
80211WiGuy
Contributor

Created on ‎11-14-2025 05:57 AM

Can FAZ update a threat feed based on FAC logs for "AUTH_FAIL_NOUSER"?

Hello,

I'm pretty new to FAZ but we were sold on it based on it's ability to trigger actions based on log events.  Now that we have it, I'm not sure it can do what I had planned though.

 

Problem:  We're trying to phase-out SSL-VPN but can't right now.  We see constant attempts from certain subnets trying random user-names to log in that we'd like to block, but we don't want to block legitimate users that may have mistyped they're username.  The FAC log we see for this is "AUTH_FAIL_NOUSER" in the Log Description field.

 

Solution:  I'd like to detect instances of "AUTH_FAIL_NOUSER" and note the <User IP>.  If the User IP makes more than 5 attempts in 5hrs.  Add that IP to a threat feed (maybe on FMG), or at least send an alert.

 

Currently I'm doing this manually by checking the logs whenever I have time, and adding it to a threat feed we host on an internal github server.

 

I was trying to search for a solution like this but haven't come across one yet.

250
0 Kudos
6 REPLIES 6
Anthony_E
Community Manager
Community Manager

Created on ‎11-16-2025 10:27 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
193
farhanahmed
Staff
Staff

Created on ‎11-17-2025 01:09 PM

Hi,

 

You can use custom event handler to trigger an email alert:

 

Please refer to the doc:
https://docs.fortinet.com/document/fortianalyzer/7.6.4/administration-guide/348606/creating-a-custom...

In your case, identity the logs in FortiAnalyzer Log View and then use the log field in event handler to trigger the alert.
https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-How-create-an-Event-Handler-in-FortiAn... 


Troubleshoot Event Handlers:
https://community.fortinet.com/t5/FortiAnalyzer/Troubleshooting-Tip-How-to-troubleshoot-for-event-ha... 

FA
184
80211WiGuy
Contributor
In response to farhanahmed

Created on ‎11-26-2025 04:36 AM

Hi Farhan,

Sorry for my delay in coming back to this.
Thank you for the suggestion but the examples provided are focused on FortiGate Logs.  I'm trying to hone in on FortiAuthenticator Logs with (logdesc) "AUTH_FAIL_NOUSER".  The guides provided also seem to be for an older version of FAZ where the forms have a different layout from what I'm seeing in v7.6.4.

 

In the log Field, I've chosen Log Description.  Then in Filters I've set "AUTH_FAIL_NOUSER".  But I cant seem to find the option for grouping by "User IP" which is a field I'm able to filter by in the Log View.  I want the rule to trigger when it sees AUTH_FAIL_NOUSER for the same User IP 24 times in 24hours.

AUTH_FAIL_NOUSER.png

128
0 Kudos
farhanahmed
Staff
Staff

Created on ‎11-28-2025 04:08 PM

Hi,
Under the 'Define Event Conditions' when you select the second option 'Within a group, the log field xxxxxx " what does it show in the drop down ?

FA
93
0 Kudos
80211WiGuy
Contributor
In response to farhanahmed

Created on ‎11-29-2025 04:20 AM

DefineEventConditions.UserIP.png

I am able to select User IP here...

74
0 Kudos
80211WiGuy
Contributor
In response to 80211WiGuy

Created on ‎11-29-2025 04:50 AM

I see in the Advanced Mode radio button option it has "COUNT_DISTINCT(userip) >= 1"

I think what I'm looking for is an option to say ?COUNT_MATCHES? for this.  My searches for what can be used in this field are coming up empty.

69
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.