Fortinet IPS - High-Frequency Intrusion Prevention Alerts
07 CSL Fortinet IPS Alerts
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Fortinet"
| where DeviceEventClassID has_any ("IPS", "anomaly", "signature")
or Activity has_any ("ips-packet", "app-ctrl", "anomaly")
| summarize
HitCount = count(),
SourceIPs = make_set(SourceIP, 20),
DestinationIPs = make_set(DestinationIP, 20),
ProtocolsUsed = make_set(Protocol, 5),
SeverityValues = make_set(LogSeverity, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Activity, DeviceEventClassID
| where HitCount > 10
| order by HitCount descExplanation
This query is designed to monitor and alert on high-frequency intrusion prevention events detected by Fortinet's Intrusion Prevention System (IPS) and Application Control. Here's a simple breakdown of what it does:
-
Purpose: The query identifies instances where Fortinet IPS and Application Control block events occur more than 10 times within a 24-hour period. This could indicate potential security threats such as active exploitation attempts, automated attack tools, or compromised internal systems.
-
Data Source: It uses data from the
CommonSecurityLogvia theCommonSecurityEventsconnector. -
Time Frame: The query looks at events generated in the last 24 hours and runs every hour.
-
Filtering Criteria: It specifically filters logs where the vendor is Fortinet and the event class ID or activity involves IPS, anomalies, or signatures.
-
Aggregation: The query counts the number of events (HitCount) and collects information on source and destination IPs, protocols used, severity levels, and the first and last time the event was seen.
-
Threshold: It only considers cases where the event count exceeds 10.
-
Output: The results are sorted by the number of hits in descending order.
-
Alerting: If the conditions are met, an alert is generated with details about the activity and the number of hits. The alert is named "Fortinet IPS Alert - [Activity] ([HitCount] hits)" and includes a description prompting a review of source IPs and affected destinations.
-
Incident Management: The query is configured to create incidents for these alerts, with grouping enabled to consolidate related alerts within a 12-hour lookback period.
Overall, this query helps security teams quickly identify and respond to potential threats by highlighting repeated intrusion prevention alerts from Fortinet systems.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1d