Query Details
07 CSL Fortinet IPS Alerts
Query
id: a7b8c9d0-e1f2-4a3b-4c5d-6e7f8a9b0c1d
name: "Fortinet IPS - High-Frequency Intrusion Prevention Alerts"
version: 1.0.0
kind: Scheduled
description: |
Surfaces Fortinet IPS and Application Control block events that occurred more than 10 times
in a 24-hour period. Repeated IPS hits against the same signature from the same source may
indicate an active exploitation attempt, automated attack tooling, or a compromised internal
host attempting to exploit adjacent systems.
MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution)
severity: High
requiredDataConnectors:
- connectorId: CommonSecurityEvents
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- Execution
relevantTechniques:
- T1190
- T1203
query: |
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Fortinet"
| where DeviceEventClassID has_any ("IPS", "anomaly", "signature")
or Activity has_any ("ips-packet", "app-ctrl", "anomaly")
| summarize
HitCount = count(),
SourceIPs = make_set(SourceIP, 20),
DestinationIPs = make_set(DestinationIP, 20),
ProtocolsUsed = make_set(Protocol, 5),
SeverityValues = make_set(LogSeverity, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Activity, DeviceEventClassID
| where HitCount > 10
| order by HitCount desc
entityMappings: []
customDetails:
HitCount: HitCount
Activity: Activity
alertDetailsOverride:
alertDisplayNameFormat: "Fortinet IPS Alert - {{Activity}} ({{HitCount}} hits)"
alertDescriptionFormat: "Fortinet IPS/App Control signature {{Activity}} triggered {{HitCount}} events. Review source IPs and affected destinations for active exploitation."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT12H
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails:
- Activity
Explanation
This query is designed to monitor and alert on high-frequency intrusion prevention events detected by Fortinet's IPS (Intrusion Prevention System) and Application Control. Here's a simplified breakdown:
-
Purpose: The query identifies and surfaces events where Fortinet's IPS or Application Control has blocked activities more than 10 times within a 24-hour period. This could indicate potential security threats such as active exploitation attempts, automated attack tools, or compromised internal systems.
-
Data Source: It uses data from the
CommonSecurityLogvia theCommonSecurityEventsconnector, focusing on logs generated by Fortinet devices. -
Time Frame: The query looks at events from the past day (24 hours).
-
Criteria: It filters for events related to IPS, anomalies, or specific signatures, and counts how many times each type of event occurred.
-
Output: The query summarizes the data by counting the number of hits (events) and collecting related information such as source and destination IPs, protocols used, and severity levels. It then filters to show only those events that occurred more than 10 times.
-
Alerting: If any such events are found, an alert is triggered. The alert includes details like the type of activity and the number of hits, and it suggests reviewing the source and destination IPs for signs of exploitation.
-
Severity and Techniques: The alert is marked with high severity and is associated with specific MITRE ATT&CK techniques related to initial access and execution (T1190 and T1203).
-
Incident Management: If an alert is generated, an incident is created. The system is configured to group similar alerts into a single incident if they occur within a 12-hour window.
Overall, this query helps security teams quickly identify and respond to potential threats by highlighting repeated intrusion prevention events from Fortinet devices.
Details
David Alonso
Released: March 2, 2026
Tables
Keywords
Operators