Query Details

Fortinet IPS - High-Frequency Intrusion Prevention Alerts

07 CSL Fortinet IPS Alerts

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Fortinet"
| where DeviceEventClassID has_any ("IPS", "anomaly", "signature")
    or Activity has_any ("ips-packet", "app-ctrl", "anomaly")
| summarize
    HitCount         = count(),
    SourceIPs        = make_set(SourceIP, 20),
    DestinationIPs   = make_set(DestinationIP, 20),
    ProtocolsUsed    = make_set(Protocol, 5),
    SeverityValues   = make_set(LogSeverity, 5),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by Activity, DeviceEventClassID
| where HitCount > 10
| order by HitCount desc

Explanation

This query is designed to monitor and alert on high-frequency intrusion prevention events detected by Fortinet's IPS (Intrusion Prevention System) and Application Control. Here's a simplified breakdown:

  1. Purpose: The query identifies and surfaces events where Fortinet's IPS or Application Control has blocked activities more than 10 times within a 24-hour period. This could indicate potential security threats such as active exploitation attempts, automated attack tools, or compromised internal systems.

  2. Data Source: It uses data from the CommonSecurityLog via the CommonSecurityEvents connector, focusing on logs generated by Fortinet devices.

  3. Time Frame: The query looks at events from the past day (24 hours).

  4. Criteria: It filters for events related to IPS, anomalies, or specific signatures, and counts how many times each type of event occurred.

  5. Output: The query summarizes the data by counting the number of hits (events) and collecting related information such as source and destination IPs, protocols used, and severity levels. It then filters to show only those events that occurred more than 10 times.

  6. Alerting: If any such events are found, an alert is triggered. The alert includes details like the type of activity and the number of hits, and it suggests reviewing the source and destination IPs for signs of exploitation.

  7. Severity and Techniques: The alert is marked with high severity and is associated with specific MITRE ATT&CK techniques related to initial access and execution (T1190 and T1203).

  8. Incident Management: If an alert is generated, an incident is created. The system is configured to group similar alerts into a single incident if they occur within a 12-hour window.

Overall, this query helps security teams quickly identify and respond to potential threats by highlighting repeated intrusion prevention events from Fortinet devices.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogFortinetIPSAnomalySignatureActivitySourceIPDestinationIPProtocolLogSeverityTimeGenerated

Operators

|where>ago==has_anyorsummarize=countmake_setminmaxbyorder bydesc

Severity

High

Tactics

InitialAccessExecution

MITRE Techniques

Frequency: 1h

Period: 1d

Actions

GitHub