Fortinet IPS - High-Frequency Intrusion Prevention Alerts
07 CSL Fortinet IPS Alerts
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Fortinet"
| where DeviceEventClassID has_any ("IPS", "anomaly", "signature")
or Activity has_any ("ips-packet", "app-ctrl", "anomaly")
| summarize
HitCount = count(),
SourceIPs = make_set(SourceIP, 20),
DestinationIPs = make_set(DestinationIP, 20),
ProtocolsUsed = make_set(Protocol, 5),
SeverityValues = make_set(LogSeverity, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Activity, DeviceEventClassID
| where HitCount > 10
| order by HitCount descExplanation
This query is designed to monitor and alert on high-frequency intrusion prevention events detected by Fortinet's IPS (Intrusion Prevention System) and Application Control. Here's a simplified breakdown:
-
Purpose: The query identifies and surfaces events where Fortinet's IPS or Application Control has blocked activities more than 10 times within a 24-hour period. This could indicate potential security threats such as active exploitation attempts, automated attack tools, or compromised internal systems.
-
Data Source: It uses data from the
CommonSecurityLogvia theCommonSecurityEventsconnector, focusing on logs generated by Fortinet devices. -
Time Frame: The query looks at events from the past day (24 hours).
-
Criteria: It filters for events related to IPS, anomalies, or specific signatures, and counts how many times each type of event occurred.
-
Output: The query summarizes the data by counting the number of hits (events) and collecting related information such as source and destination IPs, protocols used, and severity levels. It then filters to show only those events that occurred more than 10 times.
-
Alerting: If any such events are found, an alert is triggered. The alert includes details like the type of activity and the number of hits, and it suggests reviewing the source and destination IPs for signs of exploitation.
-
Severity and Techniques: The alert is marked with high severity and is associated with specific MITRE ATT&CK techniques related to initial access and execution (T1190 and T1203).
-
Incident Management: If an alert is generated, an incident is created. The system is configured to group similar alerts into a single incident if they occur within a 12-hour window.
Overall, this query helps security teams quickly identify and respond to potential threats by highlighting repeated intrusion prevention events from Fortinet devices.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1d