Query Details

Fortinet IPS - High-Frequency Intrusion Prevention Alerts

07 CSL Fortinet IPS Alerts

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Fortinet"
| where DeviceEventClassID has_any ("IPS", "anomaly", "signature")
    or Activity has_any ("ips-packet", "app-ctrl", "anomaly")
| summarize
    HitCount         = count(),
    SourceIPs        = make_set(SourceIP, 20),
    DestinationIPs   = make_set(DestinationIP, 20),
    ProtocolsUsed    = make_set(Protocol, 5),
    SeverityValues   = make_set(LogSeverity, 5),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by Activity, DeviceEventClassID
| where HitCount > 10
| order by HitCount desc

Explanation

This query is designed to monitor and alert on high-frequency intrusion prevention events detected by Fortinet's Intrusion Prevention System (IPS) and Application Control. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies instances where Fortinet IPS and Application Control block events occur more than 10 times within a 24-hour period. This could indicate potential security threats such as active exploitation attempts, automated attack tools, or compromised internal systems.

  2. Data Source: It uses data from the CommonSecurityLog via the CommonSecurityEvents connector.

  3. Time Frame: The query looks at events generated in the last 24 hours and runs every hour.

  4. Filtering Criteria: It specifically filters logs where the vendor is Fortinet and the event class ID or activity involves IPS, anomalies, or signatures.

  5. Aggregation: The query counts the number of events (HitCount) and collects information on source and destination IPs, protocols used, severity levels, and the first and last time the event was seen.

  6. Threshold: It only considers cases where the event count exceeds 10.

  7. Output: The results are sorted by the number of hits in descending order.

  8. Alerting: If the conditions are met, an alert is generated with details about the activity and the number of hits. The alert is named "Fortinet IPS Alert - [Activity] ([HitCount] hits)" and includes a description prompting a review of source IPs and affected destinations.

  9. Incident Management: The query is configured to create incidents for these alerts, with grouping enabled to consolidate related alerts within a 12-hour lookback period.

Overall, this query helps security teams quickly identify and respond to potential threats by highlighting repeated intrusion prevention alerts from Fortinet systems.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogFortinetIPSAnomalySignatureActivitySourceIPDestinationIPProtocolLogSeverityTimeGenerated

Operators

ago()has_any()summarizecount()make_set()min()max()byorder bydesc

Severity

High

Tactics

InitialAccessExecution

MITRE Techniques

Frequency: 1h

Period: 1d

Actions

GitHub