This detection rule is designed to identify instances where a FortiGate SSL VPN login event is immediately followed by any alert generated by a Security Information and Event Management (SIEM) system for the same user name within a short time frame (max span of 10 minutes). The correlation between a successful VPN login and subsequent SIEM alerts can indicate malicious activities such as credential compromise or unauthorized access following an initial VPN session. The rule utilizes EQL (Event Query Language) to query logs from Fortinet devices, focusing on specific authentication events and alerts. It assesses whether the SIEM alerts indicate risk levels above a defined threshold. The analysis section provides guidance on investigating potential security incidents, including reviewing source IPs, verifying user activities, and correlating the data with authentication logs to identify suspicious behavior. Potential false positives include legitimate uses of VPNs and automated tasks. The rule emphasizes the need for responsive actions if abuse is suspected, such as disabling VPN access and escalating to security teams as necessary.